Set Up Intrusion Detection Using Snort on pfSense 2.0
Why Set Up an Intrusion Detection System?
Hackers, viruses, and other threats are constantly probing your network, looking for a way to get in. It only takes one hacked machine for an entire network to become compromised. For these reasons, I recommend setting up an intrusion detection system so you can keep your systems secure and monitor the various threats on the Internet.
Snort is an open source IDS that can easily be installed on a pfSense firewall to protect a home or corporate network from intruders. Snort can also be configured to function as an intrusion prevention system (IPS), making it very flexible.
In this article, I'll walk you through the process of installing and configuring Snort on pfSense 2.0 so you can begin analyzing traffic in real-time.
Installing the Snort Package
To get started with Snort you'll need to install the package using the pfSense package manager. The package manager is located in the system menu of the pfSense web GUI.
Locate Snort from the list of packages and then click the plus symbol on the right side to begin the installation.
It's normal for snort to take a couple of minutes to install, it has several dependencies which pfSense must first download and install.
After the installation is complete Snort will show up in the services menu.
Obtaining an Oinkmaster Code
For Snort to be useful, it needs to be updated with the latest set of rules. The Snort package can automatically update these rules for you, but first you must obtain an Oinkmaster code.
There are two different sets of Snort rules available:
- The subscriber release set is the most up-to-date set of rules available. Real-time access to these rules requires a paid annual subscription.
- The other version of rules is the registered user release which is completely free to anyone who registers on the Snort.org site.
The main difference between the two rule sets is that the rules in the registered user release are 30 days behind the subscription rules. If you want the most up-to-date protection, you should obtain a subscription.
Follow the steps below to obtain your Oinkmaster code:
- Visit the Snort rules webpage to download the version you need.
- Click on 'Sign Up for an Account' and create a Snort account.
- After you have confirmed your account, log in at Snort.org.
- Click on 'My Account' on the upper link bar.
- Click on the 'Subscriptions and Oinkcode' tab.
- Click on the Oinkcodes link and then click 'Generate code'.
The code will remain stored within your account so you can obtain it later if needed. This code will need to be entered into the Snort settings in pfSense.
Entering the Oinkmaster Code in Snort
After obtaining the Oinkcode, it must be entered in the Snort package settings. The Snort settings page will appear in the services menu of the web interface. If it's not visible, make sure the package is installed and re-install the package if needed.
The Oinkcode must be entered on the global settings page of the Snort settings. I also like to check the box to enable the Emerging Threats rules, as well. The ET rules are maintained by an open-source community and can provide some additional rules that may not be found in the Snort set.
By default, the Snort package will not update the rules automatically. The recommended update interval is once every 12 hours, but you can change this to suit your environment.
Don't forget to click the 'save' button once you've finished making the changes.
Manually Updating the Rules
Snort doesn't come with any rules, so you'll have to manually update them the first time. To run the manual update, click on the updates tab and then click the update rules button.
The package will download the latest rule sets from Snort.org and also Emerging Threats if you have that option selected.
After the updates are finished, the rules will be extracted and are then ready for use.
Before Snort can start functioning as an intrusion detection system, you must assign interfaces for it to monitor. The typical configuration is for Snort to monitor any WAN interfaces. The other most common configuration is for Snort to monitor the WAN and LAN interface.
Monitoring the LAN interface can provide some visibility to attacks going on from within your network. It's not uncommon for a PC on the LAN network to become infected with malware and begin launching attacks on systems inside and outside the network.
To add an interface, click the plus symbol found on the Snort interface's tab.
Configuring the Interface
After clicking the add interface button, you will see the interface settings page. The settings page contains a lot of options, but there are only a few you really need to worry about to get things up and running.
- First, check the enable box at the top of the page.
- Next, select the interface you want to configure (in this example I'm configuring the WAN first).
- Set the memory performance to AC-BNFA.
- Check the box "Log Alerts to snort unified2 file" so barnyard2 will function.
- Click save.
If you are running a multi-wan router, you can go ahead and configure the other WAN interfaces on your system. I also recommend adding the LAN interface.
Selecting Rule Categories
Before you start the interfaces, there are a few more settings that need to be configured for each interface. To configure the additional settings, go back to the Snort interfaces tab and click the 'E' symbol on the right side of the page next to the interface. This will take you back to the configuration page for that particular interface.
To select the rule categories that should be enabled for the interface, click on the categories tab. All of the detection rules are divided into categories. Categories containing rules from Emerging Threats will begin with 'emerging,' and rules from Snort.org begin with 'snort.'
After selecting the categories, click the save button at the bottom of the page.
What is the purpose of rule categories?
By dividing the rules into categories, you can enable only the particular categories you are interested in. I recommend enabling some of the more general categories. If you are running specific services on your network such as a web or database server, then you should enable categories pertaining to them as well.
It's important to remember that Snort will require more system resources each time an additional category is turned on. This can also increase the number of false positives, as well. In general, it's best to turn on only the groups you need, but feel free to experiment with the categories and see what works best.
How can I obtain more information about the rules categories?
If you want to find out what rules are in a category and learn more about what they do, then you can click on the category. This will link you directly to the list of all rules within the category.
Popular Snort Rule Categories
Targets known botnet command and control hosts.
Detects denial of service attacks.
These rules detect port scans, Nessus probes, and other information gathering attacks.
Detects signatures of known trojans, viruses, and worm. It is highly recommended to use this category.
Preprocessor and Flow Settings
There are a few settings on the preprocessors settings page that should be enabled. Many of the detection rules require HTTP inspect to be enabled in order for them to work.
- Under HTTP inspect settings, enable 'Use HTTP Inspect to Normalize/Decode'
- In the general preprocessor settings section, enable 'Portscan Detection'
- Save the settings.
Starting the Interfaces
When a new interface is added to Snort, it does not automatically start running. To manually start interfaces, click on the green play button on the left side of each interface that is configured.
When Snort is running, the text behind the name of the interface will appear in green. To stop Snort, click on the red stop button located on the left side of the interface.
If Snort Fails to Start
There are a couple of common problems that can prevent Snort from starting.
- Check the rules: To verify the installation of the rules, click on the updates tab and look for a hash under the installed signature rule set section. You should see something like SNORT.ORG >>> "59b31f005c3d4ead427cba4b02fffd70."
- Preprocessor settings: Several of the rules require that the HTTP inspect option is enabled in the preprocessor settings, so make sure you have this feature turned on.
- Check the system logs: If Snort encounters an error, you'll see the message in the system logs. The system logs can be found under Status/System Logs. The error will often tell you exactly what the problem is.
Checking for Alerts
After Snort has been successfully configured and started, you should begin to see alerts once traffic matching the rules is detected.
If you don't see any alerts, give it a bit of time and then check again. It can take a while before you see any alerts, depending on the amount of traffic and rules that are enabled.
If you want to view the alerts remotely, you can enable the interface setting "Send alerts to main system logs." Alerts that appear in the system logs can be viewed remotely using Syslog.
© 2011 Sam Kear