Quick Snort Setup Instructions for New Users

traxxus

@bmeeks:

I had a discussion recently with another Snort user about suggested setups.  The user was asking whether to run Snort just on the WAN, or to run it on both the WAN and LAN.  The post linked below describes a good Snort configuration method for users with a single WAN interface and a LAN interface using NAT (typical for home networks and some small businesses).

http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

Bill

Use this list :)

http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION

dhatz

@traxxus:

Use this list :)

http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION

Is there really any benefit in completely blocking entire countries ? I mean, looking at the logs of tens of servers, I'd say that most "bad" traffic seems to originate from hacked VPS in USA and Europe.

I typically use country CIDR ranges to explicitly white-list ranges of IPs for SSH logins on certain systems, in those few cases where I "know" that nobody will login from abroad.

PS: Sorry for high-jacking this thread, mod(s) please feel free to move this message to a more appropriate topic.

vipermy

First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

Thank you in advance.

bmeeks

@vipermy:

First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

Thank you in advance.

Proxy support for rule updates does not currently exist, but that is an excellent idea to add to the package.  I will put that on my TODO list.

Give me a little time to investigate a temp workaround for you.  Perhaps a quick patch might be doable that allows Snort to use the pfSense proxy settings.

Bill

Supermule

Whats the syntax for whitelisting an ext. client IP in Snort?

bmeeks

@Supermule:

Whats the syntax for whitelisting an ext. client IP in Snort?

I would create an Alias for the IP under Firewall…Aliases.  Then go to the Whitelist tab and either create new list or choose the one being used by the interface in question.  At the bottom of the edit screen for the whitelist is a red background textbox for adding an Alias.  Simply choose the Alias there you created.  Start typing the name of the Alias and a dropdown list should automatically appear of matching entries to choose from.

If there are several IPs, or may be several in the future, I would create an Alias group and put the IPs in there.  Then choose that group on the Whitelist edit page.

Bill

Supermule

Yes but even if you run more than one whitelist, you can only add one for the WAN interface….

bmeeks

@Supermule:

Yes but even if you run more than one whitelist, you can only add one for the WAN interface….

Multiple whitelists for the same interface don't really make sense to me.  It all has to be a single file for the Spoink plugin anyway.  Now what could be done is allow the addition of multiple Aliases, but the same thing can be accomplished by using Alias groups.  So it's six of one and half-dozen of the other as we say in America  ;D  The idea with multiple whitelists is to have a different one for each interface if you want.

Perhaps you are not using Aliases to their full extent?  They are a powerful tool that makes future upkeep of the firewall rules and Snort easy.  When an IP changes, just change it once in the Alias tab and it is instantly changed everywhere that Alias is used.  Contrast this with having individual IPs scattered all over the rules in the firewall, Snort and other places.  Lots of places to change then and lots of opportunity for typos.

I have yet to encounter a whitelist situation that can't be solved with a single Alias group.  Then in that group I can add all kinds of host IPs and/or networks.  These all get translated into actual IPs when the whitelist file is built during generation of the snort.conf file.

Lots of commercial firewalls use the same idea as Aliases.  I work extensively with Check Point firewalls, and they call them "objects", but they work the same way as Aliases in pfSense.  In Check Point, you cannot enter an IP address or port number anywhere in a firewall rule.  Everything has to be entered as an object.  You first create objects having the IP addresses and ports you want to use, then you select those objects in your rules.  It seems extra work the first time you see it, but then you quickly start to appreciate the utility when you come along and need to change a host IP for instance.  Just change it in the object, push the firewall policy (Check Point's term for regenerating the configuration), and the new IP address is reflected in every rule that references it.  No need to manually update the IP in say a dozen rules or something (where each time you type it you could enter it wrong).

Supermule

Alias Group??? Where in the GUI is that Bill?

bmeeks

@Supermule:

Alias Group??? Where in the GUI is that Bill?

You can create an Alias that has other Aliases in it.  Under Firewall…Aliases.  Attached are two screenshots showing my whitelist alias group.  Click the (e) to edit the alias.  Then on the next screen click the (+) icon to add more entries to the alias (in effect making it an Alias Group).

Bill

Supermule

This is great!! Thx ;)

bmeeks

Here is the Whitelist entry itself.  Notice the Alias down at the bottom is the one created in the previous screenshots.

Bill

Supermule

I understand! Thx mate. Really appreciated!

bmeeks

@Supermule:

I understand! Thx mate. Really appreciated!

You're welcome. I just used some quick and dirty names for example, but you could name things logically and perhaps create a "WAN_whitelist_hosts" Alias and then others for different interfaces.  As I said, Aliases are very powerful tools once you get the hang of using them.

Bill

Supermule

I have named it Snort Friendly IP :D

bmeeks

@vipermy:

First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

Thank you in advance.

Sent you a PM with my e-mail address.  Reply back to the address and I will send you a patched file I would like for you to test for me.  I think it will allow Snort rule updates through the pfSense system proxy.

Bill

Mr. Jingles

Thank you both for the explanations, I learned something valuable  ;D

Mr. Jingles

Could I ask a question about the oinkcode?

I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

Thank you for your answer  ;D

bmeeks

@Hollander:

Could I ask a question about the oinkcode?

I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

Thank you for your answer  ;D

The paid subscription Oinkcode automatically includes the "Snort Community Rules" in the downloaded rule set, so you do not need to manually select those anymore.

Just check the Snort VRT rules (and optionally Emerging Threats if you want some of those), then choose an IPS Policy.  You will get the Community Rules this way.

Bill

jdsilva

I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz