Quick Snort Setup Instructions for New Users
-
Thank you Bill,
It was late and I was tried yesterday :) I found the cause of the problem and basically I just need a restart for my OINK to work and to be able to download the definitions…
Thank you for clarifying other things and advice. Much appreciated as the whole guide :)
Seb
-
hi!
is it possible to run snort-inline?
actually if not then i wouldnt call it an IPS.
regards
Karl
-
hi!
is it possible to run snort-inline?
actually if not then i wouldnt call it an IPS.
regards
Karl
Snort is kinda-sorta "inline" on pfSense. It can insert blocks into the firewall. It is not 100% technically inline like it would be in a classic pure IPS.
Bill
-
My SNORT will produce a lot alerts but only few blocks (ATM it runs only on WAN interface). Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.
I dont have any custom whitelist and my Suppress contains only of google ip(s).
Any ideas?
Thanks
-
… Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.
I dont have any custom whitelist and my Suppress contains only of google ip(s).
Any ideas?
Thanks
It could be that pfBlocker is preempting Snort and putting blocks in place. I don't think the blocks of a particular IP address will be duplicated.
Also, you did not post the version of pfSense you are running. If it is 2.1, then a problem with the filter_reload() function within that version of pfSense periodically clears the Snort block table. So Snort is possibly blocking the IP, then the pfSense filter_reload() function comes along and clears the table. When you look at the BLOCKED tab in Snort, it is actually reading the current entries from the snort2c block table that pfSense maintains. The table may have been recently cleansed by the filter_reload() routine.
However, even considering the above, protection afforded by Snort is still there. On the next offending packet from one of those formerly blocked IP addresses, Snort will insert a fresh block.
Bill
-
Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?
-
Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?
The arrow color was recently changed to be more in "sync" with the rest of the interface. It used to be press the green to start, press the red to stop. The problem was that it showed a red arrow on the status tab while snort was running, which was different with all the rest of the interface (green means OK).
The reason it says that, is that we cannot change old posts on this forum.To clarrify myself:
Green means snort IS running, you click it to STOP it.
Red means snort is NOT running, you click it to START it. -
Also, why does my Block column say DISABLED when though Snort is enabled?
Did you tell Snort to block offenders? (Interface -> block offenders).
-
@Hollander:
Also, why does my Block column say DISABLED when though Snort is enabled?
Did you tell Snort to block offenders? (Interface -> block offenders).
Now it says blocked, thank you.
-
@Hollander:
Also, why does my Block column say DISABLED when though Snort is enabled?
Did you tell Snort to block offenders? (Interface -> block offenders).
Now it says blocked, thank you.
You're most welcome ;D
-
I just wanted to thank you for this guide. I just set up a PFSense install on an old Dell PowerEdge2850 server. This helped me more than I can say. The old network admins left no documentation behind, so when I had to rebuild PFS from scratch, I was a little out of my depth. This certainly made setting up snort more than a little easier. Especially since I really didn't even know where to start. Thanks a million.
-
If anyone winds up without any blocked items over time in their Blocked tab despite loads of alerts, check your "Status: System logs: General" tab and look for any services reporting FILTER reloads or reconfigurations. Since filter reloads cause the block table to clear, misconfigured or broken services can cause the Blocked tab to appear consistently empty.
Rob…
-
Good day !
I have 2 WAN Interfaces and was trying to set up rules according to this forum. Making a setup for 1 interface took me around 1,5 hour. The question is - Is there any facility to simply copy the ruleset between interfaces ?
Thank you in advance. -
Good day !
I have 2 WAN Interfaces and was trying to set up rules according to this forum. Making a setup for 1 interface took me around 1,5 hour. The question is - Is there any facility to simply copy the ruleset between interfaces ?
Thank you in advance.Not currently, but another user requested something similar. I have that sort of feature on my TODO list. I was thinking along the lines of being able to create "templates" with rules, preprocessors, variables, and some other parameters all configurable. You could save and name the templates, then apply one to any interface on demand. Would that work for you?
Bill
-
I have the community rules box checked, but when I go to the tab to update, the button is greyed out. Am I doing something wrong? If I select the emerging threat box, I am able to click the update button, but with just community rules checked, I am not.
-
Thank you beemks ! Yes, I think it worked for me. Does it means what Snort consider Autogenerated Supress list as "top list" ?
-
Thank you beemks ! Yes, I think it worked for me. Does it means what Snort consider Autogenerated Supress list as "top list" ?
The auto-generated list will have the name of the interface followed by a random number (UUID).
Bill
-
I don't want to discount Bill's efforts on this thread. It is absolutely the best place to start.
That said, I've recently introduced pfSense and the Snort package to a few friends who are long time, big time, professional security hawks looking for a solution at home a bit more elegant than running generations old (but affordable) dedicated firewall hardware. I believe the best "find" I have come across and directed my friends to is the "fine tuning" post started by user "jflsakfja" as this thread:
https://forum.pfsense.org/index.php/topic,64674.0.html
This user requested the ability some time ago at the start of that thread to be able to edit his post in this sticky rather than having to continuously add to an existing thread. I, for one, would like this be reconsidered by the mods as the above thread is slowly being buried as time passes. I can only surmise the lack of updates as anticipated by "jflsakfja" could be because of a lack of response (evidenced by lack of edits here as of this date) to that request. Or perhaps because I've pushed him/her for more information…? If not at least maybe this post can serve as a jump point for folks looking for or could benefit from that information.
I'd like to see his/her updates continue as the schema introduced by this user may not be the absolute best way of setting up Snort and pfBlocker but its the best I've come across and certainly has made my system more efficient and less troublesome. Judging by recent posts in the Packages area, it seems many others could benefit from this schema as well.... if they knew about it.
Respectfully submitted,
Rick -
Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.
-
Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.
The new 2.9.6.0 version of Snort offers increased packet/file capture abilities according to the post on the Snort.org web site. I am working now on readying that version for the next Snort package update. I will investigate what is offered in the new binary and see what I can reasonably incorporate into the GUI.
I had a similar request from some folks in the new Suricata BETA package thread where the wish was a clickable link from the alert on the ALERTS tab to a view of the packets that triggered the alert. I am mulling over in my head the best way to accomplish that without bogging down the firewall CPU searching through hundreds of megabytes of packet capture files. In general its better to offload such tasks to an external system.
Bill
