Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Quick Snort Setup Instructions for New Users

    IDS/IPS
    46
    147
    215404
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhettinger last edited by

      Just wanted to say thanks, I'm a first time Snort user and this really helped me get things up and running to the point where I can start dicking around and experimenting.  :D

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User last edited by

        The Missing Part to Quick Snort Setup Instructions for New Users

        Instructions on making the most of your shiny new IDS
        Snort is designed to block pretty much anything you can think of. That's why there are many false positives. When I first started using snort, I was constantly banging my head on my desk because most sites would be blocked for (seemingly) no reason.
        The CORRECT way to stop false positives is to disable the rules causing them, NOT using suppression lists. I may hear you ask "but all other places on the internet say use suppression lists, why shouldn't I?".
        A little (simplified) info on how snort works will help you understand why.
        Snort takes the packets and analyses them. Matches to the rules will be forwarded to alerts, then pfsense's plugin takes over and bans them. Suppression lists work just before the last step. They stop alerts from being produced. Disabling rules stops the "process" at the very beginning. Why analyze a packet if you are going to ignore it? This saves CPU processing which could be used for other purposes (eg enable more rules).
        There are times when this will not work. Rules deep deep inside snort (preprocessor rules) have no way of being disabled (if I'm wrong about this, please correct me). That's where suppression lists become useful.

        With that out of the way, this is the process to stop false positives.

        1. Identify the rule causing them. On the alerts tab you will find all alerts (no kidding). The last columns should show a number in the format x:YYYY:x and an explanation for the rule.
          I'll use this for this example:
          x:2000419:x ET POLICY PE EXE or DLL Windows file download
        2. copy the YYYY part (2000419). Take a look at the explanation. ET (emerging threats) POLICY. This means you'll find this rule in emerging-policy list.
        3. go to the snort home page (services> snort). Click the e to edit interface settings, then go to rules. In the drop down select emerging-policy. Assuming you use firefox, CTRL+F and paste the rule number (called sig_id, signature ID) and click next. For other browsers, find a way to search the page for a term and enter the number there.
        4. click the red or yellow (depending if you previously enabled the rule) to turn it into a lighter shade of yellow (see bottom of page).
        5. top of page, click apply changes and wait for the page to reload.
        6. go back to the snort home page and restart the interface (click the red x until it becomes green, wait a couple of seconds and click it again to turn it back to red) <<< DO NOT FORGET THIS STEP
          –----warning!!!-------
          as of version 2.5.8 the icons are now swapped. Green is running, red is not running. So invert the colors above

        1. relax, the rule is now disabled and will stop generating alerts. Go to blocked tab, and find the ip that it previously banned and unban it (click the button to the right of the explanation).

        In that rare case you cannot find the rule causing the alert (eg explanation does not offer information about the list), first check GPLv2 list, then IPS policy list. If you still cannot find it, a suppression entry is needed. Simply click the add to suppression list (little +) next to the rule on the alerts tab. Assuming you have set up your suppression list correctly, it will be added to it. Restart the interface (step 6 above), unban the ip, and you are done!

        And now for my contribution to the community. The default enabled rules are too relaxed. We need to enable more rules, but a word of caution. ONLY USE THIS LIST IF YOU HAVE ENOUGH MEMORY.
        I'm currently using it on redundant CARP firewalls, with a crappy p4 cpu and 2GB of ram each. The systems average about 25-30% RAM usage.The list below shows how snort is configured on a production environment and works perfectly (for me) but it is not complete. Entries that do not have a DONE > in front of them are NOT COMPLETED. Please review and make changes depending on your environment.

        In tab "Rules", under "Category" select:
        (--- means blank table at time of writing)

        DONE > emerging-activex > all

        DONE > emerging-attack_responses > all

        DONE > emerging-botcc > all

        DONE > emerging-chat > all except:
        2010784 ET CHAT Facebook Chat (send message)
        2010785 ET CHAT Facebook Chat (buddy list)
        2010786 ET CHAT Facebook Chat (settings)
        2010819 ET CHAT Facebook Chat using XMPP
        2002327 ET CHAT Google Talk (Jabber) Client Login
        2002334 ET CHAT Google IM traffic Jabber client sign-on
        2001241 ET CHAT MSN file transfer request
        2001242 ET CHAT MSN file transfer accept
        2001243 ET CHAT MSN file transfer reject
        2001682 ET CHAT MSN IM Poll via HTTP
        2002192 ET CHAT MSN status change
        2008289 ET CHAT Possible MSN Messenger File Transfer
        2009375 ET CHAT General MSN Chat Activity
        2009376 ET CHAT MSN User-Agent Activity

        DONE > emerging-ciarmy > all

        DONE > emerging-compromised > all

        DONE > emerging-current_events > all

        DONE > emerging-deleted > ---

        DONE > emerging-dns > all except:
        2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10
        seconds) - possible Cache Poisoning Attempt
        2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
        2001117 ET DNS Standard query response, Name Error

        DONE > emerging-dos > all

        DONE > emerging-drop > all

        DONE > emerging-dshield > all

        DONE > emerging-exploit > all except:
        2001058 ET EXPLOIT libpng tRNS overflow attempt
        2002913 ET EXPLOIT VNC Client response
        2002914 ET EXPLOIT VNC Server VNC Auth Offer
        2002919 ET EXPLOIT VNC Good Authentication Reply
        2002915 ET EXPLOIT VNC Authentication Reply
        2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
        2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

        DONE > emerging-ftp > all

        DONE > emerging-games > all

        DONE > emerging-icmp > ---

        DONE > emerging-icmp_info > ---

        DONE > emerging-imap > ---

        DONE > emerging-inappropriate > all except:
        2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
        2001608 ET INAPPROPRIATE Likely Porn

        DONE > emerging-info > all except:
        2014472 ET INFO JAVA - Java Archive Download
        2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
        2014819 ET INFO Packed Executable Download
        2015016 ET INFO FTP STOR to External Network
        2015561 ET INFO PDF Using CCITTFax Filter
        2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
        2016360 ET INFO JAVA - ClassID
        2016361 ET INFO JAVA - ClassID
        2016404 ET INFO MPEG Download Over HTTP (1)

        DONE > emerging-malware > all except:
        2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

        DONE > emerging-misc > all

        DONE > emerging-mobile_malware > all except:
        2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
        2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

        DONE > emerging-netbios > all

        DONE > emerging-p2p > all except:
        2000369 ET P2P BitTorrent Announce
        2007727 ET P2P possible torrent download
        2008581 ET P2P BitTorrent DHT ping request
        2008583 ET P2P BitTorrent DHT nodes reply
        2008585 ET P2P BitTorrent DHT announce_peers request
        2010144 ET P2P Vuze BT UDP Connection (5)
        2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)

        *emerging-policy > all except:
        2000419 ET POLICY PE EXE or DLL Windows file download
        2000428 ET POLICY ZIP file download
        2001115 ET POLICY MSI (microsoft installer file) download
        2003595 ET POLICY exe download via HTTP - Informational
        2001898 ET POLICY eBay Bid Placed
        2001907 ET POLICY eBay Placing Item for sale
        2001908 ET POLICY eBay View Item
        2001909 ET POLICY eBay Watch This Item
        2003303 ET POLICY FTP Login Attempt (non-anonymous)
        2003410 ET POLICY FTP Login Successful
        2003121 ET POLICY docs.google.com Activity
        2003597 ET POLICY Google Calendar in Use
        2002801 ET POLICY Google Desktop User-Agent Detected
        2002838 ET POLICY Google Search Appliance browsing the Internet
        2000035 ET POLICY Hotmail Inbox Access
        2000036 ET POLICY Hotmail Message Access
        2000037 ET POLICY Hotmail Compose Message Access
        2000038 ET POLICY Hotmail Compose Message Submit
        2000039 ET POLICY Hotmail Compose Message Submit Data
        2008238 ET POLICY Hotmail Inbox Access
        2008239 ET POLICY Hotmail Message Access
        2008240 ET POLICY Hotmail Compose Message Access
        2008242 ET POLICY Hotmail Access Full Mode
        2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
        2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
        2002330 ET POLICY Google Talk TLS Client Traffic
        2002332 ET POLICY Google IM traffic Windows client user sign-on
        2002333 ET POLICY Google IM traffic friend invited
        2002878 ET POLICY iTunes User Agent
        2002722 ET POLICY MP3 File Transfer Outbound
        2002723 ET POLICY MP3 File Transfer Inbound
        2001114 ET POLICY Mozilla XPI install files download
        2001973 ET POLICY SSH Server Banner Detected on Expected Port
        2001974 ET POLICY SSH Client Banner Detected on Expected Port
        2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
        2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
        2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
        2001978 ET POLICY SSH session in progress on Expected Port
        2001979 ET POLICY SSH Server Banner Detected on Unusual Port
        2001980 ET POLICY SSH Client Banner Detected on Unusual Port
        2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
        2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
        2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
        2001984 ET POLICY SSH session in progress on Unusual Port
        2013031 ET POLICY Python-urllib/ Suspicious User Agent
        2013414 ET POLICY Executable served from Amazon S3
        2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
        2012647 ET POLICY Dropbox.com Offsite File Backup in Use
        2012648 ET POLICY Dropbox Client Broadcasting
        2014313 ET POLICY Executable Download From DropBox

        DONE > emerging-pop3 > ---

        DONE > emerging-rbn-malvertisers > all

        DONE > emerging-rbn > all

        DONE > emerging-rpc > ---

        DONE > emerging-scada > all

        DONE > emerging-scan > all except
        2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
        2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
        2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
        2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack

        DONE > emerging-shellcode > all except
        2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
        2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
        2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
        2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
        2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
        2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a

        DONE > emerging-smtp > all

        DONE > emerging-snmp > all

        DONE > emerging-sql > all

        DONE > emerging-telnet > all

        DONE > emerging-tftp > all

        DONE > emerging-tor > all

        emerging-trojan > all except

        DONE > emerging-user_agents > all except:
        2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

        DONE > emerging-voip > all

        DONE > emerging-web_client > all except
        2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
        2011507 ET WEB_CLIENT PDF With Embedded File
        2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
        2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
        2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
        2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
        2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
        2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding

        DONE > emerging-web_server > all except
        2003099 ET WEB_SERVER Poison Null Byte

        emerging-web_specific_apps > all except:
        2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
        2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
        2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
        2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)

        DONE > emerging-worm > all

        DONE > GPLv2 community rules > all except
        254 DNS SPOOF query response with TTL of 1 min. and no authority
        384 PROTOCOL-ICMP PING
        385 PROTOCOL-ICMP traceroute
        399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
        402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
        408 PROTOCOL-ICMP Echo Reply
        540 POLICY-SOCIAL Microsoft MSN message
        648 INDICATOR-SHELLCODE x86 NOOP
        649 INDICATOR-SHELLCODE x86 setgid 0
        1200 INDICATOR-COMPROMISE Invalid URL
        1201 INDICATOR-COMPROMISE 403 Forbidden
        1292 INDICATOR-COMPROMISE directory listing
        1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
        1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
        1437 FILE-IDENTIFY Microsoft Windows Media download detected
        1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
        1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
        1852 SERVER-WEBAPP robots.txt access
        1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
        1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
        1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
        1990 POLICY-SOCIAL Microsoft MSN user search
        1991 POLICY-SOCIAL Microsoft MSN login attempt
        2180 PUA-P2P BitTorrent announce request
        2181 PUA-P2P BitTorrent transfer
        2707 FILE-IMAGE JPEG parser multipacket heap overflow
        3463 SERVER-WEBAPP awstats access
        25518 OS-OTHER Apple iPod User-Agent detected
        25519 OS-OTHER Apple iPad User-Agent detected
        25520 OS-OTHER Apple iPhone User-Agent detected
        25521 OS-OTHER Android User-Agent detected
        25522 OS-OTHER Nokia User-Agent detected
        25523 OS-OTHER Samsung User-Agent detected
        25524 OS-OTHER Kindle User-Agent detected
        25525 OS-OTHER Nintendo User-Agent detected

        *IPS Policy - Security > all except
        4152 BROWSER-PLUGINS Microsoft Windows Media Player 6.4 ActiveX object access
        19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt

        Suppression List:
        #GLOBAL

        gen_id 1

        suppress gen_id 1, sig_id 536
        suppress gen_id 1, sig_id 648
        suppress gen_id 1, sig_id 653
        suppress gen_id 1, sig_id 1390
        suppress gen_id 1, sig_id 2452
        suppress gen_id 1, sig_id 11192
        suppress gen_id 1, sig_id 15306
        suppress gen_id 1, sig_id 16313
        suppress gen_id 1, sig_id 17458
        suppress gen_id 1, sig_id 20583
        suppress gen_id 1, sig_id 23098
        suppress gen_id 1, sig_id 2000334
        suppress gen_id 1, sig_id 2008120
        suppress gen_id 1, sig_id 2010516
        suppress gen_id 1, sig_id 20122758
        suppress gen_id 1, sig_id 2014518
        suppress gen_id 1, sig_id 2014520
        suppress gen_id 1, sig_id 2100366
        suppress gen_id 1, sig_id 2100368
        suppress gen_id 1, sig_id 2100651
        suppress gen_id 1, sig_id 2101390
        suppress gen_id 1, sig_id 2101424
        suppress gen_id 1, sig_id 2102314
        suppress gen_id 1, sig_id 2103134
        suppress gen_id 1, sig_id 2500056
        suppress gen_id 1, sig_id 100000230
        suppress gen_id 3, sig_id 14772
        #(http_inspect) DOUBLE DECODING ATTACK
        suppress gen_id 119, sig_id 2
        #(http_inspect) BARE BYTE UNICODE ENCODING
        suppress gen_id 119, sig_id 4
        #(http_inspect) IIS UNICODE CODEPOINT ENCODING
        suppress gen_id 119, sig_id 7
        #(http_inspect) NON-RFC DEFINED CHAR [**]
        suppress gen_id 119, sig_id 14
        #(http_inspect) UNKNOWN METHOD
        suppress gen_id 119, sig_id 31
        #(http_inspect) SIMPLE REQUEST
        suppress gen_id 119, sig_id 32
        #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
        suppress gen_id 120, sig_id 2
        #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
        suppress gen_id 120, sig_id 3
        #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
        suppress gen_id 120, sig_id 4
        #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
        suppress gen_id 120, sig_id 6
        #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
        suppress gen_id 120, sig_id 8
        #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
        suppress gen_id 120, sig_id 9

        Unknown

        suppress gen_id 120, sig_id 10
        #(smtp) Attempted response buffer overflow: 1448 chars
        suppress gen_id 124, sig_id 3
        #(ftp_telnet) Invalid FTP Command
        suppress gen_id 125, sig_id 2
        #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
        suppress gen_id 137, sig_id 1
        #(IMAP) Unknown IMAP4 command
        suppress gen_id 141, sig_id 1

        1 Reply Last reply Reply Quote 0
        • bmeeks
          bmeeks last edited by

          I had a discussion recently with another Snort user about suggested setups.  The user was asking whether to run Snort just on the WAN, or to run it on both the WAN and LAN.  The post linked below describes a good Snort configuration method for users with a single WAN interface and a LAN interface using NAT (typical for home networks and some small businesses).

          http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

          Bill

          1 Reply Last reply Reply Quote 0
          • T
            traxxus last edited by

            @bmeeks:

            I had a discussion recently with another Snort user about suggested setups.  The user was asking whether to run Snort just on the WAN, or to run it on both the WAN and LAN.  The post linked below describes a good Snort configuration method for users with a single WAN interface and a LAN interface using NAT (typical for home networks and some small businesses).

            http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

            Bill

            Use this list :)

            http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION

            1 Reply Last reply Reply Quote 0
            • D
              dhatz last edited by

              @traxxus:

              Use this list :)

              http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION

              Is there really any benefit in completely blocking entire countries ? I mean, looking at the logs of tens of servers, I'd say that most "bad" traffic seems to originate from hacked VPS in USA and Europe.

              I typically use country CIDR ranges to explicitly white-list ranges of IPs for SSH logins on certain systems, in those few cases where I "know" that nobody will login from abroad.

              PS: Sorry for high-jacking this thread, mod(s) please feel free to move this message to a more appropriate topic.

              1 Reply Last reply Reply Quote 0
              • V
                vipermy last edited by

                First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

                FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

                Thank you in advance.

                1 Reply Last reply Reply Quote 0
                • bmeeks
                  bmeeks last edited by

                  @vipermy:

                  First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

                  FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

                  Thank you in advance.

                  Proxy support for rule updates does not currently exist, but that is an excellent idea to add to the package.  I will put that on my TODO list.

                  Give me a little time to investigate a temp workaround for you.  Perhaps a quick patch might be doable that allows Snort to use the pfSense proxy settings.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supermule Banned last edited by

                    Whats the syntax for whitelisting an ext. client IP in Snort?

                    1 Reply Last reply Reply Quote 0
                    • bmeeks
                      bmeeks last edited by

                      @Supermule:

                      Whats the syntax for whitelisting an ext. client IP in Snort?

                      I would create an Alias for the IP under Firewall…Aliases.  Then go to the Whitelist tab and either create new list or choose the one being used by the interface in question.  At the bottom of the edit screen for the whitelist is a red background textbox for adding an Alias.  Simply choose the Alias there you created.  Start typing the name of the Alias and a dropdown list should automatically appear of matching entries to choose from.

                      If there are several IPs, or may be several in the future, I would create an Alias group and put the IPs in there.  Then choose that group on the Whitelist edit page.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supermule Banned last edited by

                        Yes but even if you run more than one whitelist, you can only add one for the WAN interface….

                        1 Reply Last reply Reply Quote 0
                        • bmeeks
                          bmeeks last edited by

                          @Supermule:

                          Yes but even if you run more than one whitelist, you can only add one for the WAN interface….

                          Multiple whitelists for the same interface don't really make sense to me.  It all has to be a single file for the Spoink plugin anyway.  Now what could be done is allow the addition of multiple Aliases, but the same thing can be accomplished by using Alias groups.  So it's six of one and half-dozen of the other as we say in America  ;D  The idea with multiple whitelists is to have a different one for each interface if you want.

                          Perhaps you are not using Aliases to their full extent?  They are a powerful tool that makes future upkeep of the firewall rules and Snort easy.  When an IP changes, just change it once in the Alias tab and it is instantly changed everywhere that Alias is used.  Contrast this with having individual IPs scattered all over the rules in the firewall, Snort and other places.  Lots of places to change then and lots of opportunity for typos.

                          I have yet to encounter a whitelist situation that can't be solved with a single Alias group.  Then in that group I can add all kinds of host IPs and/or networks.  These all get translated into actual IPs when the whitelist file is built during generation of the snort.conf file.

                          Lots of commercial firewalls use the same idea as Aliases.  I work extensively with Check Point firewalls, and they call them "objects", but they work the same way as Aliases in pfSense.  In Check Point, you cannot enter an IP address or port number anywhere in a firewall rule.  Everything has to be entered as an object.  You first create objects having the IP addresses and ports you want to use, then you select those objects in your rules.  It seems extra work the first time you see it, but then you quickly start to appreciate the utility when you come along and need to change a host IP for instance.  Just change it in the object, push the firewall policy (Check Point's term for regenerating the configuration), and the new IP address is reflected in every rule that references it.  No need to manually update the IP in say a dozen rules or something (where each time you type it you could enter it wrong).

                          1 Reply Last reply Reply Quote 0
                          • S
                            Supermule Banned last edited by

                            Alias Group??? Where in the GUI is that Bill?

                            1 Reply Last reply Reply Quote 0
                            • bmeeks
                              bmeeks last edited by

                              @Supermule:

                              Alias Group??? Where in the GUI is that Bill?

                              You can create an Alias that has other Aliases in it.  Under Firewall…Aliases.  Attached are two screenshots showing my whitelist alias group.  Click the (e) to edit the alias.  Then on the next screen click the (+) icon to add more entries to the alias (in effect making it an Alias Group).

                              Bill




                              1 Reply Last reply Reply Quote 0
                              • S
                                Supermule Banned last edited by

                                This is great!! Thx ;)

                                1 Reply Last reply Reply Quote 0
                                • bmeeks
                                  bmeeks last edited by

                                  Here is the Whitelist entry itself.  Notice the Alias down at the bottom is the one created in the previous screenshots.

                                  Bill


                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Supermule Banned last edited by

                                    I understand! Thx mate. Really appreciated!

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeks
                                      bmeeks last edited by

                                      @Supermule:

                                      I understand! Thx mate. Really appreciated!

                                      You're welcome. I just used some quick and dirty names for example, but you could name things logically and perhaps create a "WAN_whitelist_hosts" Alias and then others for different interfaces.  As I said, Aliases are very powerful tools once you get the hang of using them.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Supermule Banned last edited by

                                        I have named it Snort Friendly IP :D

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeks
                                          bmeeks last edited by

                                          @vipermy:

                                          First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

                                          FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

                                          Thank you in advance.

                                          Sent you a PM with my e-mail address.  Reply back to the address and I will send you a patched file I would like for you to test for me.  I think it will allow Snort rule updates through the pfSense system proxy.

                                          Bill

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            Mr. Jingles last edited by

                                            Thank you both for the explanations, I learned something valuable  ;D

                                            6 and a half billion people know that they are stupid, agressive, lower life forms.

                                            1 Reply Last reply Reply Quote 0
                                            • M
                                              Mr. Jingles last edited by

                                              Could I ask a question about the oinkcode?

                                              I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

                                              Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

                                              But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

                                              Thank you for your answer  ;D

                                              6 and a half billion people know that they are stupid, agressive, lower life forms.

                                              1 Reply Last reply Reply Quote 0
                                              • bmeeks
                                                bmeeks last edited by

                                                @Hollander:

                                                Could I ask a question about the oinkcode?

                                                I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

                                                Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

                                                But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

                                                Thank you for your answer  ;D

                                                The paid subscription Oinkcode automatically includes the "Snort Community Rules" in the downloaded rule set, so you do not need to manually select those anymore.

                                                Just check the Snort VRT rules (and optionally Emerging Threats if you want some of those), then choose an IPS Policy.  You will get the Community Rules this way.

                                                Bill

                                                1 Reply Last reply Reply Quote 0
                                                • J
                                                  jdsilva last edited by

                                                  I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

                                                  1 Reply Last reply Reply Quote 0
                                                  • bmeeks
                                                    bmeeks last edited by

                                                    @jdsilva:

                                                    I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

                                                    No, the binary version of Snort is considered when downloading rule updates.  The rules are coded for the different binary versions.  Snort on pfSense is currently version 2.9.4.6, so you will download the 2.9.4.6 rules snapshot.  The rules usually update on Tuesday and Thursday over at Snort.org.

                                                    An update to the 2.9.5.5 Snort binary for the pfSense Snort package should come out late this month or early in November.  Testing it now.

                                                    Bill

                                                    1 Reply Last reply Reply Quote 0
                                                    • C
                                                      coolcat1975 last edited by

                                                      Hi!

                                                      I am using policy connectivity.
                                                      I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

                                                      How can i disable this policy when using policy?

                                                      best regards

                                                      Karl

                                                      1 Reply Last reply Reply Quote 0
                                                      • bmeeks
                                                        bmeeks last edited by

                                                        @coolcat1975:

                                                        Hi!

                                                        I am using policy connectivity.
                                                        I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

                                                        How can i disable this policy when using policy?

                                                        best regards

                                                        Karl

                                                        You can't easily disable this directly because it is a preprocessor alert.  I've seen some traffic about this alert on the Snort mailing list that indicates it is a potential bug in the preprocesor code.

                                                        The best workaround for now is to create a Suppress List entry for this alert.  On the ALERTS tab, click the little plus sign (+) next to the alert's GID:SID.  This will automatically add it to the Suppress List and you won't get blocks on those IPs.  You will still see the alert in the ALERTS tab, but it will not block the offending IP.

                                                        After adding the Suppress entry, restart Snort on the affect interface.

                                                        Bill

                                                        1 Reply Last reply Reply Quote 0
                                                        • C
                                                          coolcat1975 last edited by

                                                          hi!

                                                          thanks for your answer.

                                                          i am aware about the supress function but best practice says that you should disable the rule.

                                                          anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

                                                          greetings

                                                          karl

                                                          1 Reply Last reply Reply Quote 0
                                                          • bmeeks
                                                            bmeeks last edited by

                                                            @coolcat1975:

                                                            hi!

                                                            thanks for your answer.

                                                            i am aware about the supress function but best practice says that you should disable the rule.

                                                            anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

                                                            greetings

                                                            karl

                                                            Disabling is the best, but with today's hardware capability just suppressing is fine.  That's the answer you generally get from the Snort VRT folks as well.  Maybe if you are inspecting 1 Gbit/sec plus traffic loads, the distinction between disabling and suppressing matters; but for most folks with modern hardware there is no meaning difference.

                                                            Bill

                                                            1 Reply Last reply Reply Quote 0
                                                            • C
                                                              coolcat1975 last edited by

                                                              Just another question:

                                                              If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

                                                              does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

                                                              regards

                                                              karl

                                                              1 Reply Last reply Reply Quote 0
                                                              • bmeeks
                                                                bmeeks last edited by

                                                                @coolcat1975:

                                                                Just another question:

                                                                If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

                                                                does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

                                                                regards

                                                                karl

                                                                I honestly don't know the answer to that question.  I've never tested Snort on pfSense in Transparent Mode.  I suspect the traffic will still get blocked because Snort actually uses the packet filter engine and its tables to insert blocks.  In that sense it operates just like the firewall module itself.

                                                                Where Snort might get tripped up in Transparent Mode is with the defintion of $HOME_NET and $EXTERNAL_NET variables.

                                                                Bill

                                                                1 Reply Last reply Reply Quote 0
                                                                • S
                                                                  sebna last edited by

                                                                  Hi,

                                                                  Thanks for great guide.

                                                                  Before I found it I just went through all the options and configured as I thought it makes sense to my limited knowledge and I did one thing differently.

                                                                  I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.

                                                                  Also in point

                                                                  20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

                                                                  If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS Policy" box unticked?

                                                                  If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the correct syntax? Can it be IP or is it a FQN

                                                                  Thank you for explaining any of the above.

                                                                  seb

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • bmeeks
                                                                    bmeeks last edited by

                                                                    @sebna:

                                                                    I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.

                                                                    Also in point

                                                                    20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

                                                                    If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS Policy" box unticked?

                                                                    If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the correct syntax? Can it be IP or is it a FQN

                                                                    Thank you for explaining any of the above.

                                                                    seb

                                                                    If you registered at Snort.org for the free account, that entitles you to the full Snort VRT rules download.  The only caveat is they are 30 days older than the rules the paid subscribers get.  As for the GPLv2 Community Rules, generally only a few of them will be enabled by default.  You can turn on the ones of interest to you.  If you don't want the headache of figuring out which Community Rules you want or need, then an easier approach in my view is to enable and use the Emerging Threats rules instead.  They stay pretty current and are arranged in categories that give clues as to what the rules are doing.

                                                                    You can use the IPS Policy with the Snort VRT rules whether you have a paid or free account.  The only difference in paid versus free is the age of the rules.  As I mentioned, the paid subscribers get current updates.  The free account registered users get the new rules 30 days after the paid users.  It's a 30-day rolling sort of thing.  But the same IPS policies are available in both sets of rules.

                                                                    If you have Mail, DNS and other specific servers on your network, you can certainly define their IP addresses for Snort. This makes Snort's job a bit easier.  By default, it assumes all the IP addresses in your network are all of the potential servers.  So this means it sort of inspects all traffic for all IPs for everything.  You can narrow this down by defining where some services are located (that is, which IP addresses host those services on your HOME_NET networks).  Armed with that information, Snort won't waste time looking for HTTP web exploits against a DNS or DHCP server.  It does this by matching the IP address in the target to the values you define in the variables.

                                                                    To define servers or ports on the VARIABLES tab, you must first create a corresponding Alias under Firewall…Alias from the pfSense menu.  Type a descriptive name for the Alias, such as DNS_Servers, and then enter the IP addresses of all of your DNS servers.  Repeat the process to create Aliases for any other servers.  Now go to the VARIABLES tab in Snort and scroll down to the server description.  Start typing the name of the Alias you defined earlier.  It should auto-complete in the Alias form field.  Click SAVE when done.

                                                                    1 Reply Last reply Reply Quote 1
                                                                    • S
                                                                      sebna last edited by

                                                                      Thank you Bill,

                                                                      It was late and I was tried yesterday :) I found the cause of the problem and basically I just need a restart for my OINK to work and to be able to download the definitions…

                                                                      Thank you for clarifying other things and advice. Much appreciated as the whole guide :)

                                                                      Seb

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • C
                                                                        coolcat1975 last edited by

                                                                        hi!

                                                                        is it possible to run snort-inline?

                                                                        actually if not then i wouldnt call it an IPS.

                                                                        regards

                                                                        Karl

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • bmeeks
                                                                          bmeeks last edited by

                                                                          @coolcat1975:

                                                                          hi!

                                                                          is it possible to run snort-inline?

                                                                          actually if not then i wouldnt call it an IPS.

                                                                          regards

                                                                          Karl

                                                                          Snort is kinda-sorta "inline" on pfSense.  It can insert blocks into the firewall.  It is not 100% technically inline like it would be in a classic pure IPS.

                                                                          Bill

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • S
                                                                            sebna last edited by

                                                                            My SNORT will produce a lot alerts but only few blocks (ATM it runs only on WAN interface). Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.

                                                                            I dont have any custom whitelist and my Suppress contains only of google ip(s).

                                                                            Any ideas?

                                                                            Thanks

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • bmeeks
                                                                              bmeeks last edited by

                                                                              @sebna:

                                                                              … Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.

                                                                              I dont have any custom whitelist and my Suppress contains only of google ip(s).

                                                                              Any ideas?

                                                                              Thanks

                                                                              It could be that pfBlocker is preempting Snort and putting blocks in place.  I don't think the blocks of a particular IP address will be duplicated.

                                                                              Also, you did not post the version of pfSense you are running.  If it is 2.1, then a problem with the filter_reload() function within that version of pfSense periodically clears the Snort block table.  So Snort is possibly blocking the IP, then the pfSense filter_reload() function comes along and clears the table.  When you look at the BLOCKED tab in Snort, it is actually reading the current entries from the snort2c block table that pfSense maintains.  The table may have been recently cleansed by the filter_reload() routine.

                                                                              However, even considering the above, protection afforded by Snort is still there.  On the next offending packet from one of those formerly blocked IP addresses, Snort will insert a fresh block.

                                                                              Bill

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • G
                                                                                godlyatheist last edited by

                                                                                Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • ?
                                                                                  A Former User last edited by

                                                                                  @godlyatheist:

                                                                                  Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?

                                                                                  The arrow color was recently changed to be more in "sync" with the rest of the interface. It used to be press the green to start, press the red to stop. The problem was that it showed a red arrow on the status tab while snort was running, which was different with all the rest of the interface (green means OK).
                                                                                  The reason it says that, is that we cannot change old posts on this forum.

                                                                                  To clarrify myself:
                                                                                  Green means snort IS running, you click it to STOP it.
                                                                                  Red means snort is NOT running, you click it to START it.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • M
                                                                                    Mr. Jingles last edited by

                                                                                    @godlyatheist:

                                                                                    Also, why does my Block column say DISABLED when though Snort is enabled?

                                                                                    Did you tell Snort to block offenders? (Interface -> block offenders).

                                                                                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post