Quick Snort Setup Instructions for New Users



  • I had a discussion recently with another Snort user about suggested setups.  The user was asking whether to run Snort just on the WAN, or to run it on both the WAN and LAN.  The post linked below describes a good Snort configuration method for users with a single WAN interface and a LAN interface using NAT (typical for home networks and some small businesses).

    http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

    Bill



  • @bmeeks:

    I had a discussion recently with another Snort user about suggested setups.  The user was asking whether to run Snort just on the WAN, or to run it on both the WAN and LAN.  The post linked below describes a good Snort configuration method for users with a single WAN interface and a LAN interface using NAT (typical for home networks and some small businesses).

    http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417

    Bill

    Use this list :)

    http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION



  • @traxxus:

    Use this list :)

    http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION

    Is there really any benefit in completely blocking entire countries ? I mean, looking at the logs of tens of servers, I'd say that most "bad" traffic seems to originate from hacked VPS in USA and Europe.

    I typically use country CIDR ranges to explicitly white-list ranges of IPs for SSH logins on certain systems, in those few cases where I "know" that nobody will login from abroad.

    PS: Sorry for high-jacking this thread, mod(s) please feel free to move this message to a more appropriate topic.



  • First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

    FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

    Thank you in advance.



  • @vipermy:

    First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

    FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

    Thank you in advance.

    Proxy support for rule updates does not currently exist, but that is an excellent idea to add to the package.  I will put that on my TODO list.

    Give me a little time to investigate a temp workaround for you.  Perhaps a quick patch might be doable that allows Snort to use the pfSense proxy settings.

    Bill


  • Banned

    Whats the syntax for whitelisting an ext. client IP in Snort?



  • @Supermule:

    Whats the syntax for whitelisting an ext. client IP in Snort?

    I would create an Alias for the IP under Firewall…Aliases.  Then go to the Whitelist tab and either create new list or choose the one being used by the interface in question.  At the bottom of the edit screen for the whitelist is a red background textbox for adding an Alias.  Simply choose the Alias there you created.  Start typing the name of the Alias and a dropdown list should automatically appear of matching entries to choose from.

    If there are several IPs, or may be several in the future, I would create an Alias group and put the IPs in there.  Then choose that group on the Whitelist edit page.

    Bill


  • Banned

    Yes but even if you run more than one whitelist, you can only add one for the WAN interface….



  • @Supermule:

    Yes but even if you run more than one whitelist, you can only add one for the WAN interface….

    Multiple whitelists for the same interface don't really make sense to me.  It all has to be a single file for the Spoink plugin anyway.  Now what could be done is allow the addition of multiple Aliases, but the same thing can be accomplished by using Alias groups.  So it's six of one and half-dozen of the other as we say in America  ;D  The idea with multiple whitelists is to have a different one for each interface if you want.

    Perhaps you are not using Aliases to their full extent?  They are a powerful tool that makes future upkeep of the firewall rules and Snort easy.  When an IP changes, just change it once in the Alias tab and it is instantly changed everywhere that Alias is used.  Contrast this with having individual IPs scattered all over the rules in the firewall, Snort and other places.  Lots of places to change then and lots of opportunity for typos.

    I have yet to encounter a whitelist situation that can't be solved with a single Alias group.  Then in that group I can add all kinds of host IPs and/or networks.  These all get translated into actual IPs when the whitelist file is built during generation of the snort.conf file.

    Lots of commercial firewalls use the same idea as Aliases.  I work extensively with Check Point firewalls, and they call them "objects", but they work the same way as Aliases in pfSense.  In Check Point, you cannot enter an IP address or port number anywhere in a firewall rule.  Everything has to be entered as an object.  You first create objects having the IP addresses and ports you want to use, then you select those objects in your rules.  It seems extra work the first time you see it, but then you quickly start to appreciate the utility when you come along and need to change a host IP for instance.  Just change it in the object, push the firewall policy (Check Point's term for regenerating the configuration), and the new IP address is reflected in every rule that references it.  No need to manually update the IP in say a dozen rules or something (where each time you type it you could enter it wrong).


  • Banned

    Alias Group??? Where in the GUI is that Bill?



  • @Supermule:

    Alias Group??? Where in the GUI is that Bill?

    You can create an Alias that has other Aliases in it.  Under Firewall…Aliases.  Attached are two screenshots showing my whitelist alias group.  Click the (e) to edit the alias.  Then on the next screen click the (+) icon to add more entries to the alias (in effect making it an Alias Group).

    Bill





  • Banned

    This is great!! Thx ;)



  • Here is the Whitelist entry itself.  Notice the Alias down at the bottom is the one created in the previous screenshots.

    Bill



  • Banned

    I understand! Thx mate. Really appreciated!



  • @Supermule:

    I understand! Thx mate. Really appreciated!

    You're welcome. I just used some quick and dirty names for example, but you could name things logically and perhaps create a "WAN_whitelist_hosts" Alias and then others for different interfaces.  As I said, Aliases are very powerful tools once you get the hang of using them.

    Bill


  • Banned

    I have named it Snort Friendly IP :D



  • @vipermy:

    First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

    FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9

    Thank you in advance.

    Sent you a PM with my e-mail address.  Reply back to the address and I will send you a patched file I would like for you to test for me.  I think it will allow Snort rule updates through the pfSense system proxy.

    Bill



  • Thank you both for the explanations, I learned something valuable  ;D



  • Could I ask a question about the oinkcode?

    I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

    Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

    But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

    Thank you for your answer  ;D



  • @Hollander:

    Could I ask a question about the oinkcode?

    I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

    Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

    But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

    Thank you for your answer  ;D

    The paid subscription Oinkcode automatically includes the "Snort Community Rules" in the downloaded rule set, so you do not need to manually select those anymore.

    Just check the Snort VRT rules (and optionally Emerging Threats if you want some of those), then choose an IPS Policy.  You will get the Community Rules this way.

    Bill



  • I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz



  • @jdsilva:

    I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

    No, the binary version of Snort is considered when downloading rule updates.  The rules are coded for the different binary versions.  Snort on pfSense is currently version 2.9.4.6, so you will download the 2.9.4.6 rules snapshot.  The rules usually update on Tuesday and Thursday over at Snort.org.

    An update to the 2.9.5.5 Snort binary for the pfSense Snort package should come out late this month or early in November.  Testing it now.

    Bill



  • Hi!

    I am using policy connectivity.
    I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

    How can i disable this policy when using policy?

    best regards

    Karl



  • @coolcat1975:

    Hi!

    I am using policy connectivity.
    I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

    How can i disable this policy when using policy?

    best regards

    Karl

    You can't easily disable this directly because it is a preprocessor alert.  I've seen some traffic about this alert on the Snort mailing list that indicates it is a potential bug in the preprocesor code.

    The best workaround for now is to create a Suppress List entry for this alert.  On the ALERTS tab, click the little plus sign (+) next to the alert's GID:SID.  This will automatically add it to the Suppress List and you won't get blocks on those IPs.  You will still see the alert in the ALERTS tab, but it will not block the offending IP.

    After adding the Suppress entry, restart Snort on the affect interface.

    Bill



  • hi!

    thanks for your answer.

    i am aware about the supress function but best practice says that you should disable the rule.

    anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

    greetings

    karl



  • @coolcat1975:

    hi!

    thanks for your answer.

    i am aware about the supress function but best practice says that you should disable the rule.

    anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

    greetings

    karl

    Disabling is the best, but with today's hardware capability just suppressing is fine.  That's the answer you generally get from the Snort VRT folks as well.  Maybe if you are inspecting 1 Gbit/sec plus traffic loads, the distinction between disabling and suppressing matters; but for most folks with modern hardware there is no meaning difference.

    Bill



  • Just another question:

    If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

    does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

    regards

    karl



  • @coolcat1975:

    Just another question:

    If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

    does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

    regards

    karl

    I honestly don't know the answer to that question.  I've never tested Snort on pfSense in Transparent Mode.  I suspect the traffic will still get blocked because Snort actually uses the packet filter engine and its tables to insert blocks.  In that sense it operates just like the firewall module itself.

    Where Snort might get tripped up in Transparent Mode is with the defintion of $HOME_NET and $EXTERNAL_NET variables.

    Bill



  • Hi,

    Thanks for great guide.

    Before I found it I just went through all the options and configured as I thought it makes sense to my limited knowledge and I did one thing differently.

    I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.

    Also in point

    20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

    If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS Policy" box unticked?

    If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the correct syntax? Can it be IP or is it a FQN

    Thank you for explaining any of the above.

    seb



  • @sebna:

    I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.

    Also in point

    20.  If you followed my advice for Snort VRT rules, this page is easy.  Just click the check box for "Use IPS Policy" and then select "Connectivity" in the drop-down.  Click Save and you're done!  Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies.  I personally run "Balanced", but it will require some tuning if run in blocking mode.

    If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS Policy" box unticked?

    If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the correct syntax? Can it be IP or is it a FQN

    Thank you for explaining any of the above.

    seb

    If you registered at Snort.org for the free account, that entitles you to the full Snort VRT rules download.  The only caveat is they are 30 days older than the rules the paid subscribers get.  As for the GPLv2 Community Rules, generally only a few of them will be enabled by default.  You can turn on the ones of interest to you.  If you don't want the headache of figuring out which Community Rules you want or need, then an easier approach in my view is to enable and use the Emerging Threats rules instead.  They stay pretty current and are arranged in categories that give clues as to what the rules are doing.

    You can use the IPS Policy with the Snort VRT rules whether you have a paid or free account.  The only difference in paid versus free is the age of the rules.  As I mentioned, the paid subscribers get current updates.  The free account registered users get the new rules 30 days after the paid users.  It's a 30-day rolling sort of thing.  But the same IPS policies are available in both sets of rules.

    If you have Mail, DNS and other specific servers on your network, you can certainly define their IP addresses for Snort. This makes Snort's job a bit easier.  By default, it assumes all the IP addresses in your network are all of the potential servers.  So this means it sort of inspects all traffic for all IPs for everything.  You can narrow this down by defining where some services are located (that is, which IP addresses host those services on your HOME_NET networks).  Armed with that information, Snort won't waste time looking for HTTP web exploits against a DNS or DHCP server.  It does this by matching the IP address in the target to the values you define in the variables.

    To define servers or ports on the VARIABLES tab, you must first create a corresponding Alias under Firewall…Alias from the pfSense menu.  Type a descriptive name for the Alias, such as DNS_Servers, and then enter the IP addresses of all of your DNS servers.  Repeat the process to create Aliases for any other servers.  Now go to the VARIABLES tab in Snort and scroll down to the server description.  Start typing the name of the Alias you defined earlier.  It should auto-complete in the Alias form field.  Click SAVE when done.



  • Thank you Bill,

    It was late and I was tried yesterday :) I found the cause of the problem and basically I just need a restart for my OINK to work and to be able to download the definitions…

    Thank you for clarifying other things and advice. Much appreciated as the whole guide :)

    Seb



  • hi!

    is it possible to run snort-inline?

    actually if not then i wouldnt call it an IPS.

    regards

    Karl



  • @coolcat1975:

    hi!

    is it possible to run snort-inline?

    actually if not then i wouldnt call it an IPS.

    regards

    Karl

    Snort is kinda-sorta "inline" on pfSense.  It can insert blocks into the firewall.  It is not 100% technically inline like it would be in a classic pure IPS.

    Bill



  • My SNORT will produce a lot alerts but only few blocks (ATM it runs only on WAN interface). Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.

    I dont have any custom whitelist and my Suppress contains only of google ip(s).

    Any ideas?

    Thanks



  • @sebna:

    … Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.

    I dont have any custom whitelist and my Suppress contains only of google ip(s).

    Any ideas?

    Thanks

    It could be that pfBlocker is preempting Snort and putting blocks in place.  I don't think the blocks of a particular IP address will be duplicated.

    Also, you did not post the version of pfSense you are running.  If it is 2.1, then a problem with the filter_reload() function within that version of pfSense periodically clears the Snort block table.  So Snort is possibly blocking the IP, then the pfSense filter_reload() function comes along and clears the table.  When you look at the BLOCKED tab in Snort, it is actually reading the current entries from the snort2c block table that pfSense maintains.  The table may have been recently cleansed by the filter_reload() routine.

    However, even considering the above, protection afforded by Snort is still there.  On the next offending packet from one of those formerly blocked IP addresses, Snort will insert a fresh block.

    Bill



  • Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?



  • @godlyatheist:

    Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?

    The arrow color was recently changed to be more in "sync" with the rest of the interface. It used to be press the green to start, press the red to stop. The problem was that it showed a red arrow on the status tab while snort was running, which was different with all the rest of the interface (green means OK).
    The reason it says that, is that we cannot change old posts on this forum.

    To clarrify myself:
    Green means snort IS running, you click it to STOP it.
    Red means snort is NOT running, you click it to START it.



  • @godlyatheist:

    Also, why does my Block column say DISABLED when though Snort is enabled?

    Did you tell Snort to block offenders? (Interface -> block offenders).



  • @Hollander:

    @godlyatheist:

    Also, why does my Block column say DISABLED when though Snort is enabled?

    Did you tell Snort to block offenders? (Interface -> block offenders).

    Now it says blocked, thank you.



  • @godlyatheist:

    @Hollander:

    @godlyatheist:

    Also, why does my Block column say DISABLED when though Snort is enabled?

    Did you tell Snort to block offenders? (Interface -> block offenders).

    Now it says blocked, thank you.

    You're most welcome  ;D


Log in to reply