Quick Snort Setup Instructions for New Users

bimmerdriver

OP, thank you for providing this guide.

I have some questions.

@bmeeks:

16.  Click the Preprocessors tab.

17.  Scroll down into the General Preprocessor Settings area and then check (or enable) all of the preprocessors listed in that section EXCEPT the Sensitive Data preprocessor.  It can cause a lot of alerts and is best used after you gain some experience with Snort.

It's not clear which section of preprocessors you are talking about. There is no General Preprocessor Settings area.

@bmeeks:

19.  Now click on the Categories tab.  This is where we will choose a threat detection policy and associated rules.

20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

What is the difference between Connectivity and Balanced. The description does not explain the difference.

Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy.
It is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity.

Mr. Jingles

@bimmerdriver:

OP, thank you for providing this guide.

I have some questions.

@bmeeks:

16.  Click the Preprocessors tab.

17.  Scroll down into the General Preprocessor Settings area and then check (or enable) all of the preprocessors listed in that section EXCEPT the Sensitive Data preprocessor.  It can cause a lot of alerts and is best used after you gain some experience with Snort.

It's not clear which section of preprocessors you are talking about. There is no General Preprocessor Settings area.

@bmeeks:

19.  Now click on the Categories tab.  This is where we will choose a threat detection policy and associated rules.

20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

What is the difference between Connectivity and Balanced. The description does not explain the difference.

Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy.
It is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity.

First: what bimmer do you drive? I have an E39, and a F01  :) Which one do you have? Engine? Automatic gear or manual? Color? Most important Options? In Bimmer world, we are One Big Family  :-*

1. The General Preprocessor Settings indeed is gone. My guess is it is now 'Basic configuration settings', and a lot of other settings that used to be in 'General settings'. I think you could accept the defaults. 'Sensititive data' is now a separate setting all together: unflag it.
2. "Connectivity" versus "balanced" is described: one is more restrictive than the other. It is really nothing more than this: in one setting more categories and rules are enabled than in the other, by default. If you wish to know which ones, enable one settings, and then inspect the rules-tab to find out. It is just a helpful default suggestion from Bill, nothing more. He didn't write a tutorial for stuff you can easily see yourself by simply enabling the setting  ;)

bimmerdriver

@Mr.:

First: what bimmer do you drive? I have an E39, and a F01  :) Which one do you have? Engine? Automatic gear or manual? Color? Most important Options? In Bimmer world, we are One Big Family  :-*

I drive an E46, specifically 2002 M3 MT coupe with a lot of mods. Using your family analogy, your F01 is the stately father and my E46 is the kid that gets into a lot of trouble. E39 and F01 is an interesting combo. What are their year / model? An E39 M5 would be a nice alternate to an F01.

@Mr.:

1. The General Preprocessor Settings indeed is gone. My guess is it is now 'Basic configuration settings', and a lot of other settings that used to be in 'General settings'. I think you could accept the defaults. 'Sensititive data' is now a separate setting all together: unflag it.
2. "Connectivity" versus "balanced" is described: one is more restrictive than the other. It is really nothing more than this: in one setting more categories and rules are enabled than in the other, by default. If you wish to know which ones, enable one settings, and then inspect the rules-tab to find out. It is just a helpful default suggestion from Bill, nothing more. He didn't write a tutorial for stuff you can easily see yourself by simply enabling the setting  ;)

Okay, that's what I thought.

maniak

@bmeeks:

8.  Click the Snort Interfaces tab and then click the plus "+" icon to add a Snort interface.

9.  On the If Settings tab, click the Enable checkbox.

10.  In the drop-down, choose the interface.  The WAN interface is the default and is a good first choice.

11.  In the Description textbox, enter a name (WAN again, is fine here).

I have several OpenVPN clients that run as interfaces. Should I add them also in Snort interfaces or is it enough with just WAN?

Thanks for this great post. I followed your post and also watched this tutorial https://youtu.be/-GgqYq5-EBg

Thanks again!

Qinn

New to Snort I follow this one https://www.youtube.com/watch?v=-GgqYq5-EBg&feature=youtu.be and setup accordingly only one interface eg the WAN.
Strange enough I only see one source ip address (LAN) in the Alerts tab. I have 10 subnets, with many users using the internet, what am I overlooking?

For instance in PFBlockerNG-develop I am see enough of the IP's of the subnets.

Cheers Qinn

bmeeks

@qinn said in Quick Snort Setup Instructions for New Users:

New to Snort I follow this one https://www.youtube.com/watch?v=-GgqYq5-EBg&feature=youtu.be and setup accordingly only one interface eg the WAN.
Strange enough I only see one source ip address (LAN) in the Alerts tab. I have 10 subnets, with many users using the internet, what am I overlooking?

For instance in PFBlockerNG-develop I am see enough of the IP's of the subnets.

Cheers Qinn

When you run Snort on the WAN, it sees inbound traffic from the Internet before the NAT rules are unwound. So every packet has the public WAN IP address of your firewall as the destination. Only after NAT is unwound will the actual LAN IP address be present.

For this reason I recommend users run Snort on the LAN and not the WAN. When you run it on the LAN, it sees packets after NAT has been unwound so the IP addresses map directly to your LAN hosts.

Qinn

@bmeeks first thank you for the advice. I have changed it from WAN to WLAN (a private VLAN subnet for an AP) which has internet access and roughly 20 nodes, smartphones, desktops, Sonos etc.
In 2 hours time there were 10 alerts => (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I have only enabled "Snort will use rules from one of three pre-defined IPS policies in the Snort Subscriber rules" and IPS Policy Selection checked.

bmeeks

@qinn said in Quick Snort Setup Instructions for New Users:

@bmeeks first thank you for the advice. I have changed it from WAN to WLAN (a private VLAN subnet for an AP) which has internet access and roughly 20 nodes, smartphones, desktops, Sonos etc.
In 2 hours time there were 10 alerts => (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I have only enabled "Snort will use rules from one of three pre-defined IPS policies in the Snort Subscriber rules" and IPS Policy Selection checked.

The HTTP_INSPECT preprocessor rules will fire frequently and these days are mostly false positives. Most admins disable several of the HTTP_INSPECT rules. Search the IDS/IPS sub-forum here for suggestions on Snort Suppression Lists to find rules that most users suggest either suppressing or disabling.

Qinn

@bmeeks now I reread my reply, I realize I wasn't clear, I should have emphasized that I only had these ten alerts in 2 hours and that seems rather meager. I would have expected to see loads of alerts, as approximately 20 users (smartphones, desktops, Sonos etc.) are on this subnet.

bmeeks

@qinn, it depends totally on which precise rules are enabled and what the traffic on your network actually consists of. The goal in IDS/IPS is to get no or very few alerts and blocks. That means your network is relatively secure and clients are following the rules ... .

I don't mean that to say you should never get alerts, though. Just that you don't want to be receiving hundreds per hour. Once blocking is enabled that might drive you crazy as an admin. Within the IPS Polices, the Snort team has selected rules that provide security without a ton of false positive alerts.