Use pfsense as snort only box
-
If I just wanted to use the snort functionality of pfsense in bridge mode between my isp and my main router, would I just configure snort as usual and place an any / any rule from wan to lan? has anyone had experience doing that?
-
If I just wanted to use the snort functionality of pfsense in bridge mode between my isp and my main router, would I just configure snort as usual and place an any / any rule from wan to lan? has anyone had experience doing that?
I've never really thought about this application. If you mean a true bridge, then Snort on pfSense might get confused when trying to build the HOME_NET and EXTERNAL_NET variables. You could give it a try and see how it works.
Bill
-
I know this is not the reply for your question, but it's a bit relevant, so I'm posting it anyway.
The way snort is implemented in pfsense is "before" the firewall. Imagine it like this. Packets come in from 1 interface. They start getting processed by snort and depending on their priority and how fast their processing completes, some packets "leak" into the destination interface (where if they should not be allowed, they are dropped). This could be the snort alert autoblock part since I believe is a custom code for pfsense, and could be slow to respond. But I mentioned priority because I noticed that lower priority alerts leak less packets.
And to make myself perfectly clear (which is mathematically proven to be impossible) lets take a scanning of several hosts behind a pfsense box running snort to further explain the leak. Lets use .0 for the firewall and .1 to .5 for the hosts.
The (usually) teenage-has-seen-hackers-the-movie-and-thinks-he-can-own-the-planet OR the (as mentioned on his business card) HIGHLY-advanced-network-security-EXPERT-using-tomorrow's-technology person will fire up the port scanner. Assuming (you should never assume because you make an … out of yourself) that the scanning takes 5 seconds, and it's a low to high scan.
The scan hits .0 which is the firewall and starts getting processed by snort, it matches a rule, the alert is generated, the autoblock takes over, attacker ip is added to the banned list and the firewall states are killed. In the meantime hosts .1 .2 .3 have been "hit" by the scan (actually packets were dropped by pfsense). Pfsense nor the hosts will show logs for .4 and .5 because the ip has already been blocked. Snort will show alerts though, which comes in handy to track which attacker keeps attacking.
See what I mean by leaked? If snort was running as inline AND packets were verified not to match any rules AND rules were modified so that packets should be dropped, no packets would get through.And after reading through that autobiography above, I'm pretty sure you need me to finally get to the point. Snort on pfsense is not worth running on a separate box infront of a router because it leaks. Either remove that router and install a pfsense-with-snort box in its place, or don't even bother with it. Running a separate box for the same functionality as a single box is just wasting space,electricity,sanity and time well spent elsewhere.
-
Linux can be setup as a router. Linux (and windows) can run a piece of software called Snort. Snort is a sensor for an Intrusion Detection System. Snort is usually setup on a switch segment on a "mirrored trunk port".
Snort is not a firewall. It is not an IPS. It won't stop an attack. Snort is just a sensor.
It is incredibly convenient to monitor all ingress and egress traffic using it on the same device as pfsense. You could also add zfs support and run it as a NAS. Add asterisk and run it's a PBX also.
If someone does get into your pfsense box they will turn off your sensor, have access to your files, and make phone calls as you.
If the hardware or software breaks on pfsense, you now lose all 4 devices.
Pfsense is great for a hobby or a super cheap fix.If you are looking for a firewall, IPS, with the same rule-set as commercial snort you are looking for one of SourceFire's commercial products.
If you are looking for a router, I'd recommend a router.
If you are looking for Snort to act as a sensor, you will want it on the inside of your network firewall on a port mirroring your firewall and on it's own hardware. Outside, you will regularly get alerts.To directly answer your question, "Yes, you could do that but it won't be incredibly helpful."
-
Snort can be used as an IPS as I mentioned above. Would I go with that route? No, I would use suricata for a dedicated box infront of a pfsense router.
pfsense can be used as a hobby but also as a full featured production environment router. That's the way I use it (redundant routers+snort).Alerts generated outside the firewall is like alarms going off everytime someone tries to climb over your house's fence. Alarms going off from inside your network means that particular someone has already climbed the fence, found an open window at your house and is in the process of stealing off your TV. Personally I prefer to get alarms everytime someone tries to climb over my fence. The fence door is there for a reason.
Please have a look at the sticky if alerts are constantly generated for you. I have a list up there that I will be updating shortly that is used on my production machines (providing internet for a few clients, protecting webservers, fileservers, database servers, email servers, dedicated servers and VPSs), and there are almost no false positives with it. The few false positives are quickly identified and added to my personal list of rules to turn off, which are then added to the sticky.
A small example of alerts generated from outside the network is all the sipvicious alerts. That alert cannot be generated from inside the network because the firewall has already taken care of dropping the packets. But if someone is trying to scan my network for VOIP exploits, he is more likely to try a portscanner after that. An exploit scanner is almost guaranteed to follow. By getting an alert and blocking the IP when it first scanned for the VOIP exploits stops him right then and there.
Is snort the end all be all solution? no. The recent phppath 0day exploit was caught by other means long before added to the snort ET current events list, because it used a should-be-long-abolished-by-now host header. Tip: why is your client asking for a file with an HTTP host header that is equal to my server's IP or is completely missing? It's 2013 and webservers have long supported SSL certificates on single IPs and domain names are now extremely cheap, which means if you are requesting a file, you should be requesting it with a full domain as the HTTP host header. All other methods of requesting it should be banned by official government statements and should be on mainstream breaking news every half an hour for the foreseeable future. A suricata (or snort inline) box infront of the firewalls would have prevented the request from ever getting to the webservers. But the request did get through and the server was setup with a way to know that it should be ignored and the requesting IP banned.
-
Linux can be setup as a router. Linux (and windows) can run a piece of software called Snort. Snort is a sensor for an Intrusion Detection System. Snort is usually setup on a switch segment on a "mirrored trunk port".
Snort is not a firewall. It is not an IPS. It won't stop an attack. Snort is just a sensor.
It is incredibly convenient to monitor all ingress and egress traffic using it on the same device as pfsense. You could also add zfs support and run it as a NAS. Add asterisk and run it's a PBX also.
If someone does get into your pfsense box they will turn off your sensor, have access to your files, and make phone calls as you.
If the hardware or software breaks on pfsense, you now lose all 4 devices.
Pfsense is great for a hobby or a super cheap fix.If you are looking for a firewall, IPS, with the same rule-set as commercial snort you are looking for one of SourceFire's commercial products.
If you are looking for a router, I'd recommend a router.
If you are looking for Snort to act as a sensor, you will want it on the inside of your network firewall on a port mirroring your firewall and on it's own hardware. Outside, you will regularly get alerts.To directly answer your question, "Yes, you could do that but it won't be incredibly helpful."
I don't get you at all. You are saying don't use pfsense as a router, get a router. Don't use snort and pfsense, but sourcefire product. You are also worried about pfsense getting taken over and knocking down the system. I have also seen that if they take over your router (say a sourcefire product), nothing is stopping the intruder to get on your other systems anyways. I do agree that it's better to spread out your servers, but it all depends on the size of the organization. It's not always feasible to have multiple devices. Also, if you read your message, you are saying pfsense sucks and buy something commercial. If that is what you are actually intending (probably not as you are in this forum), then why would you be here?
Back to the original poster…. While I don't see any merit of the original question, I do see what he is trying to do.
He wants to run pfsense and snort in front of his existing router to just run snort. It just does not make networking sense which is what everyone seems to agree with. -
As a rule of thumb, "central" systems can be used on the same box without reducing your chances of someone taking over that box.
"central" systems are firewalls,routers (technically a firewall is a router without rules allowing traffic but I digress) and IPS/IDS systems.
Normally as I mentioned above, the IPS/IDS system would sit infront of the firewall. If that box gets rooted, it's game over. If your firewall/router is rooted, it's also game over. Those 2 boxes can be combined. I'm talking about saving space/electricity here, saturating multiple 10Gbit lines is not our goal in this particular case.Central logging systems are not in the "central" systems category. Those should and MUST be on separate hosts, ideally with a monitor and keyboard attached to them and all forms of remote access except rsyslog disabled. See where I'm getting at? Every box that has traffic for the entire network flowing through it can and should be combined if the performance is acceptable. Every box that has sensitive information and traffic flowing ONLY for it should be separated to it's core function only. And to further try and explain myself, running snort on your pfsense firewall is perfectly acceptable. Running an email server or a file server on your firewall is NOT acceptable.
Back to the point, as I said above, just replace your router with a pfsense running snort router, you don't need to run them on separate boxes. Don't ever, ever, EVER let anyone tell you that pfsense should not be used and that you should buy a commercial product.
-
All, thanks for the info. Unfortunately, I can't replace my current router with a pfsense router. That's why I want to just use the snort piece of pfsense infront of our name brand router. I would imagine it would work as a bridge if I just allowed any/any on wan right and has snort running? What IP would be assigned to the pfsense box, if I needed my wan router to be behind it? Is there a way to run pfsense in bridge mode? Basically what I am looking for is a way to run snort in a gui that has an alerting and auto blocking function that's easy to manage. an easy to use IDS/IPS as snort has become in pfsense. any help is appreciated.
-
pfsense can easily be used as a transparent bridge, see http://forum.pfsense.org/index.php/topic,20917.0.html and adapt accordingly. Don't forget allow any>any on both interfaces, and DO NOT use the lan interface as a member of the bridge.
As long as snort knows what the home net is, it will work. This will require you to manually set the home net and ignore the default one/s since the interfaces will not have any IP numbers, so it's highly likely that snort will not know what IP to use. -
This sounds dumb,but how would I interact with the gui? what IP's would I assign on the WAN and opt. Would the opt1 (the other side of the bridge) be the same IP as the router behind it? just a bit confused on the IP addressing. Thanks again for all your help with this.
-
If the hardware or software breaks on pfsense, you now lose all 4 devices.
If you are looking for a firewall, IPS, with the same rule-set as commercial snort you are looking for one of SourceFire's commercial products.
If you are looking for a router, I'd recommend a router.
If you are looking for Snort to act as a sensor, you will want it on the inside of your network firewall on a port mirroring your firewall and on it's own hardware. Outside, you will regularly get alerts.There are several mistakes and logical fallacies in justgosh's post, which imho should be addressed for the benefit of less experienced readers.
The fact that pfSense allows you to perform several functions (router, firewall, IDS, proxy) in a single hardware device can be very helpful and may actually increase overall reliability in many deployment scenarios, when two such pfsense "multi-purpose" (router/firewall/ids/proxy) boxes are deployed as a high-availability failover pair.
On the contrary, if one deploys several (3-4) different specialty boxes (router, firewall, IDS/IPS) as justgosh seems to suggest, connected serially one after another, just one failure in the chain of these boxes puts everything out of service (or you'd have to deploy redundant pairs of each one i.e. 2x4=8 boxes).
Having said that, I would like to see a review of pfSense's security model (currently most daemons run as root) and perhaps by moving certain packages/services like squid into "containers" (BSD jails)
Pfsense is great for a hobby or a super cheap fix.
I won't even bother to refute this assertion, the record of successful pfSense installations speaks for itself.
-
@jflsakfja:
As long as snort knows what the home net is, it will work. This will require you to manually set the home net and ignore the default one/s since the interfaces will not have any IP numbers, so it's highly likely that snort will not know what IP to use.
This post from jflsakfja is spot on. Using the bridge scenario, Snort will get confused when trying to construct the default "automatic" HOME_NET. You will want to go to the Whitelists tab and manually create a "whitelist". In reality it won't be used as a true whitelist, but that's just the way the GUI currently works and how it names things. You are actually going to use the whitelist to define HOME_NET.
Back on topic – create a "whitelist" containing the local subnets you want to protect. You will likely have to first create them as an Alias (or a group Alias if you have more than one local IP subnet you want to protect), and assign that Alias to the new "whitelist" you create. Give the new whitelist a name like "My_HOME_NET" or something that makes sense for you.
Now go to the Interface tab (WAN, for example) and scroll down until you see the WHITELIST setting drop-down. Click it and choose the new whitelist you created above. Save the changes and you should be good. Post back with your results if you try this. I am interested in how it works.
Bill
-
This sounds dumb,but how would I interact with the gui? what IP's would I assign on the WAN and opt. Would the opt1 (the other side of the bridge) be the same IP as the router behind it? just a bit confused on the IP addressing. Thanks again for all your help with this.
Sorry for taking so long to respond. Been a bit busy around here ;D
Interacting with the gui is done through the LAN interface. That's why I suggested "pfsense can easily be used as a transparent bridge, see http://forum.pfsense.org/index.php/topic,20917.0.html and adapt accordingly. Don't forget allow any>any on both interfaces, and DO NOT use the lan interface as a member of the bridge."
pfsense works exactly the same (from a web gui USER's point of view) whether it's running as a bridge or a routing platform. As long as the LAN interface has a valid private ip and there is a rule allowing access to the webgui port, plugging something into the LAN will allow you to administer the box. The important thing to remember is that bridged interfaces have NO IPs, which means that you have to be careful with your rules (eg I have rules disallowing traffic not belonging to an interface's subnet from passing through the firewall, which wouldn't work with a bridge).
A common use case for this is a fully transparent firewalling bridge, which allows for traffic control both ways of the bridge. The bonus is that the bridge is completely invisible on both sides of it (WAN/DMZ), unless you sift through each and every packet observing changes in the packet as it goes through the bridge (which no sane person will do). The LAN interface is used to monitor and administer the bridge, just like I said above. A random tip: do NOT try setting up a bridged CARP cluster without doing your research first.Back on track:
- pfsense box with snort plugin
- no ip assigned on WAN/OPT1
- Bridge WAN/OPT1 and set up LAN interface with a valid private ip.
- webgui allow rule on LAN.
- Set up snort as mentioned above
- Enjoy :)
EDIT: hit go button too soon. A few thoughts popped up in my head after posting:
A fully transparent bridge should not be able to get on the internet. This means NO communications with the "outside world" which in turn means NO updates, NO snort rule updates (no ip assigned on the WAN, remember? ;) )
A transparent bridge with internet is a bit different. If you have multiple static IPs, just assign one to the wan and proceed with bridging (yes even if it has an IP, yes I've tested a Frankenstein hybrid routing/bridged monster and it works perfectly, even LAN to OPT1 which according to documentation shouldn't work). If you don't have multiple static IPs a bit of default routes/nat will be needed. Basically since pfsense has no sense of other networks when used as a bridge, packets coming from itself will not know where to go or where they are coming from, and need a little "push" to get "out there" :D
