Snort on Alix 2D3 beginners questions
I'm very new to pfsense, freeBSD and firewalls, so please be gentle ;)
My setup is very simple : one WAN (ADSL modem) two local machines connected to LAN and OPT1 (bridged to LAN). pfsense 1.2.3 nanobsd on an Alix 2D3 with a 4GB Kingston CF card. No servers running locally, there is no pass rule for the WAN interface.
I'm curious to detect any attack attempts coming my way. Installation of snort (22.214.171.124_5 pkg v. 1.6) worked fine and I'm happily experimenting. Now I do have a series of questions I'm having troubles finding answers to. I did try to search the forums but was not successful. So here goes :
The basics :
Does using snort on the WAN make sense at all in my setup without pass rule for that interface? Would I still be able to identify potential attack attempts?
Snort and CF cards :
I understand that snort needs quite a lot of memory and possibly disk space. I have seen recommendations to not use snort on embedded systems due to the limited number of write cycles CF cards support (aside from performance issues). Is the issue of limited lifetime of CF cards addressed in the nanobsd version of pfsense, e.g. using ram disks, or is this a real concern? That is, is the CF card mounted r/w when using snort or read only?
Selecting categories :
Given the limited number of rules my small box can run simultaneously, I try to limit the categories of rules I select to the bare necessary. However, I'm not knowledgeable enough to understand exactly what type of threats each of the available categories addresses, and which would be the most relevant for me. Where would I be able to get specific documentation about each rule category?
Thanks in advance for any hint to get me started!
I have now established that the CF card is indeed mounted r/w on my box with snort installed, and it appears that this is not the default on a clean pfsense embedded install (I didn't check on my box before installing snort). Has anyone tried to have a snort install on pfsense with /var/log mounted as tmpfs such as mentioned here: http://www.ebbmar.com/?p=112? I suppose that this will not help with memory usage which seems to be the major limitation for snort on this platform. However, with just a small subset of the rules enabled on my low-traffic home network and snort in lowmem mode, I'm not yet pushing the limits of my box (70% of memory useage).
Snort really shouldn't be leaving it RW, I'm not sure how that is happening. At one point when I had first made it work on NanoBSD it was properly keeping the CF RO when it needed to be, but that has been several months ago since I touched it.
Running snort may be overkill, depending on what you need it for. If you're worried about port scans and such, and you have no inbound pass rules, there really isn't anything to worry about. Snort might block the IP but that gains you nothing since it's already blocked. :)
Now if you're worried about things coming in via HTTP (spyware and such) or out from your PCs it might be better to run snort on the LAN side. Otherwise, you can't see which internal IP address tried to access that content.
In the future, when snort is running inline, it won't matter which interface you run on it, but that won't be until pfSense 2.0 or so.
Ok, my bad. The CF card is NOT mounted read-write permanently. I didn't have ssh enabled yet, so I issued the "mount" command via the web interface (Diagnostics > Command > Execute shell command), and concluded from the output that pfsense0 was mounted r/w. Which it was, presumably, just for the duration of the execution of that command… When I log in via ssh, /dev/ufs/pfsense0 indeed shows as mounted read-only. Sorry about the confusion!
However, no answer without a new question, I guess: When looking through the logs to see what might be going on, I noticed that snort actually starts twice, back to back. After the first start, I read this:
... Feb 24 22:46:01 pfsense snort: [ LowMem Search-Method Memory Used : 31.8716 MBytes ] Feb 24 22:46:01 pfsense snort: [ LowMem Search-Method Memory Used : 31.8716 MBytes ] Feb 24 22:46:01 pfsense snort: Snort initialization completed successfully (pid=1683) Feb 24 22:46:01 pfsense snort: Snort initialization completed successfully (pid=1683) Feb 24 22:46:01 pfsense snort: Not Using PCAP_FRAMES Feb 24 22:46:01 pfsense snort: Not Using PCAP_FRAMES Feb 24 22:46:02 pfsense SnortStartup: Ram free BEFORE starting Snort: -- Ram free AFTER starting Snort: 72M -- Mode lowmem -- Snort memory usage: 139M Feb 24 22:46:03 pfsense check_reload_status: check_reload_status is starting Feb 24 22:46:03 pfsense SnortStartup: Snort already running... Feb 24 22:46:11 pfsense login: login on console as root Feb 24 22:46:24 pfsense snort: *** Caught Hup-Signal Feb 24 22:46:24 pfsense snort: *** Caught Hup-Signal
… followed by some statistics, two lines saying "restarting snort" and another startup sequence which to the naked eye seems identical to the first one, down to the PID of the snort process and the exact amount of memory used. It seems to me that this was not the behavior I saw immediately after setting up snort for the first time, as the "Ram free BEFORE starting Snort..." line above was visible in the web interface view of the log. Now this line appears after the first, but not the second startup of snort, and thus is not showing up at the end of the log visible in the web interface any more. I can't recall when this appeared first, so I don't know which configuration changes might have triggered this change in behavior. Possibly the installation of NUT (which is not configured yet)?
Is it common to see snort starting twice or should I look for configuration errors ?
Thank you jimp for your comments so far, and also for the suggestion of running snort on the LAN side. I'm indeed worried about spyware / viruses / trojans. However, as I stated initially, I have two local machines, on LAN and OPT1 the latter being bridged to LAN. Is it sufficient then to run snort on the LAN or do I need to run it on both to protect both machines?
I understand that the default rules I download are designed to work on the WAN. Do I need to manually adapt them to the LAN? That may be more effort than I would be willing to put in… FWIW, running on the WAN, snort does pick up on stuff: IE memory corruption, MSExchange (or Outlook?) exploits... so far all from the web-client category. I don't remember the exact rules that triggered a site block, and since I just rebooted the firewall and snort seems to forget about blocked sites across restarts they're not showing up right now.