Quick Snort Setup Instructions for New Users

maniak

8. Click the Snort Interfaces tab and then click the plus "+" icon to add a Snort interface.

9. On the If Settings tab, click the Enable checkbox.

10. In the drop-down, choose the interface. The WAN interface is the default and is a good first choice.

11. In the Description textbox, enter a name (WAN again, is fine here).

I have several OpenVPN clients that run as interfaces. Should I add them also in Snort interfaces or is it enough with just WAN?

Thanks for this great post. I followed your post and also watched this tutorial https://youtu.be/-GgqYq5-EBg

Thanks again!

Qinn

New to Snort I follow this one https://www.youtube.com/watch?v=-GgqYq5-EBg&feature=youtu.be and setup accordingly only one interface eg the WAN.
Strange enough I only see one source ip address (LAN) in the Alerts tab. I have 10 subnets, with many users using the internet, what am I overlooking?

For instance in PFBlockerNG-develop I am see enough of the IP's of the subnets.

Cheers Qinn

bmeeks

@qinn said in Quick Snort Setup Instructions for New Users:

New to Snort I follow this one https://www.youtube.com/watch?v=-GgqYq5-EBg&feature=youtu.be and setup accordingly only one interface eg the WAN.
Strange enough I only see one source ip address (LAN) in the Alerts tab. I have 10 subnets, with many users using the internet, what am I overlooking?

For instance in PFBlockerNG-develop I am see enough of the IP's of the subnets.

Cheers Qinn

When you run Snort on the WAN, it sees inbound traffic from the Internet before the NAT rules are unwound. So every packet has the public WAN IP address of your firewall as the destination. Only after NAT is unwound will the actual LAN IP address be present.

For this reason I recommend users run Snort on the LAN and not the WAN. When you run it on the LAN, it sees packets after NAT has been unwound so the IP addresses map directly to your LAN hosts.

Qinn

@bmeeks first thank you for the advice. I have changed it from WAN to WLAN (a private VLAN subnet for an AP) which has internet access and roughly 20 nodes, smartphones, desktops, Sonos etc.
In 2 hours time there were 10 alerts => (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I have only enabled "Snort will use rules from one of three pre-defined IPS policies in the Snort Subscriber rules" and IPS Policy Selection checked.

bmeeks

@qinn said in Quick Snort Setup Instructions for New Users:

@bmeeks first thank you for the advice. I have changed it from WAN to WLAN (a private VLAN subnet for an AP) which has internet access and roughly 20 nodes, smartphones, desktops, Sonos etc.
In 2 hours time there were 10 alerts => (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

I have only enabled "Snort will use rules from one of three pre-defined IPS policies in the Snort Subscriber rules" and IPS Policy Selection checked.

The HTTP_INSPECT preprocessor rules will fire frequently and these days are mostly false positives. Most admins disable several of the HTTP_INSPECT rules. Search the IDS/IPS sub-forum here for suggestions on Snort Suppression Lists to find rules that most users suggest either suppressing or disabling.

Qinn

@bmeeks now I reread my reply, I realize I wasn't clear, I should have emphasized that I only had these ten alerts in 2 hours and that seems rather meager. I would have expected to see loads of alerts, as approximately 20 users (smartphones, desktops, Sonos etc.) are on this subnet.

bmeeks

@qinn, it depends totally on which precise rules are enabled and what the traffic on your network actually consists of. The goal in IDS/IPS is to get no or very few alerts and blocks. That means your network is relatively secure and clients are following the rules ... .

I don't mean that to say you should never get alerts, though. Just that you don't want to be receiving hundreds per hour. Once blocking is enabled that might drive you crazy as an admin. Within the IPS Polices, the Snort team has selected rules that provide security without a ton of false positive alerts.