Cell PhonesComputersConsumer ElectronicsGraphic Design & Video EditingHome Theater & AudioIndustrial TechnologyInternet

Set Up Intrusion Detection Using Snort on pfSense 2.0

Updated on September 19, 2016
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

Why Set Up an Intrusion Detection System?

Hackers, viruses, and other threats are constantly probing your network, looking for a way to get in. It only takes one hacked machine for an entire network to become compromised. For these reasons, I recommend setting up an intrusion detection system so you can keep your systems secure and monitor the various threats on the Internet.

Snort is an open source IDS that can easily be installed on a pfSense firewall to protect a home or corporate network from intruders. Snort can also be configured to function as an intrusion prevention system (IPS), making it very flexible.

In this article, I'll walk you through the process of installing and configuring Snort on pfSense 2.0 so you can begin analyzing traffic in real-time.

Installing the Snort Package

To get started with Snort you'll need to install the package using the pfSense package manager. The package manager is located in the system menu of the pfSense web GUI.

Locate Snort from the list of packages and then click the plus symbol on the right side to begin the installation.

It's normal for snort to take a couple of minutes to install, it has several dependencies which pfSense must first download and install.

After the installation is complete Snort will show up in the services menu.

Click thumbnail to view full-size
Snort can be installed using the pfSense package manager.It's not uncommon for the installation to take a few minutes to complete.Once the install process completes Snort will appear in the services menu.
Snort can be installed using the pfSense package manager.
Snort can be installed using the pfSense package manager.
It's not uncommon for the installation to take a few minutes to complete.
It's not uncommon for the installation to take a few minutes to complete.
Once the install process completes Snort will appear in the services menu.
Once the install process completes Snort will appear in the services menu.

Obtaining an Oinkmaster Code

For Snort to be useful, it needs to be updated with the latest set of rules. The Snort package can automatically update these rules for you, but first you must obtain an Oinkmaster code.

There are two different sets of Snort rules available:

  • The subscriber release set is the most up-to-date set of rules available. Real-time access to these rules requires a paid annual subscription.
  • The other version of rules is the registered user release which is completely free to anyone who registers on the Snort.org site.

The main difference between the two rule sets is that the rules in the registered user release are 30 days behind the subscription rules. If you want the most up-to-date protection, you should obtain a subscription.

Follow the steps below to obtain your Oinkmaster code:

  1. Visit the Snort rules webpage to download the version you need.
  2. Click on 'Sign Up for an Account' and create a Snort account.
  3. After you have confirmed your account, log in at Snort.org.
  4. Click on 'My Account' on the upper link bar.
  5. Click on the 'Subscriptions and Oinkcode' tab.
  6. Click on the Oinkcodes link and then click 'Generate code'.

The code will remain stored within your account so you can obtain it later if needed. This code will need to be entered into the Snort settings in pfSense.

Click thumbnail to view full-size
An Oinkmaster code is required to download rules from Snort.org.After you've created an account click on the subscription and Oinkcodes tab in your account.Copy and paste the code in the Snort settings in pfSense.
An Oinkmaster code is required to download rules from Snort.org.
An Oinkmaster code is required to download rules from Snort.org.
After you've created an account click on the subscription and Oinkcodes tab in your account.
After you've created an account click on the subscription and Oinkcodes tab in your account.
Copy and paste the code in the Snort settings in pfSense.
Copy and paste the code in the Snort settings in pfSense.

Entering the Oinkmaster Code in Snort

After obtaining the Oinkcode, it must be entered in the Snort package settings. The Snort settings page will appear in the services menu of the web interface. If it's not visible, make sure the package is installed and re-install the package if needed.

The Oinkcode must be entered on the global settings page of the Snort settings. I also like to check the box to enable the Emerging Threats rules, as well. The ET rules are maintained by an open-source community and can provide some additional rules that may not be found in the Snort set.

Automatic Updates

By default, the Snort package will not update the rules automatically. The recommended update interval is once every 12 hours, but you can change this to suit your environment.

Don't forget to click the 'save' button once you've finished making the changes.

Paste the Oinkmaster code in the global settings tab of Snort.
Paste the Oinkmaster code in the global settings tab of Snort.

Manually Updating the Rules

Snort doesn't come with any rules, so you'll have to manually update them the first time. To run the manual update, click on the updates tab and then click the update rules button.

The package will download the latest rule sets from Snort.org and also Emerging Threats if you have that option selected.

After the updates are finished, the rules will be extracted and are then ready for use.

Click thumbnail to view full-size
The rules must be manually downloaded the first time Snort is set up.The rules normally take a couple of minutes to download and install.After the update is completed you can return to the Snort settings page.
The rules must be manually downloaded the first time Snort is set up.
The rules must be manually downloaded the first time Snort is set up.
The rules normally take a couple of minutes to download and install.
The rules normally take a couple of minutes to download and install.
After the update is completed you can return to the Snort settings page.
After the update is completed you can return to the Snort settings page.

Adding Interfaces

Before Snort can start functioning as an intrusion detection system, you must assign interfaces for it to monitor. The typical configuration is for Snort to monitor any WAN interfaces. The other most common configuration is for Snort to monitor the WAN and LAN interface.

Monitoring the LAN interface can provide some visibility to attacks going on from within your network. It's not uncommon for a PC on the LAN network to become infected with malware and begin launching attacks on systems inside and outside the network.

To add an interface, click the plus symbol found on the Snort interface's tab.

You will need to each interface that Snort will run on.
You will need to each interface that Snort will run on.

Configuring the Interface

After clicking the add interface button, you will see the interface settings page. The settings page contains a lot of options, but there are only a few you really need to worry about to get things up and running.

  1. First, check the enable box at the top of the page.
  2. Next, select the interface you want to configure (in this example I'm configuring the WAN first).
  3. Set the memory performance to AC-BNFA.
  4. Check the box "Log Alerts to snort unified2 file" so barnyard2 will function.
  5. Click save.

If you are running a multi-wan router, you can go ahead and configure the other WAN interfaces on your system. I also recommend adding the LAN interface.

Configure the settings for the interface.
Configure the settings for the interface.

Selecting Rule Categories

Before you start the interfaces, there are a few more settings that need to be configured for each interface. To configure the additional settings, go back to the Snort interfaces tab and click the 'E' symbol on the right side of the page next to the interface. This will take you back to the configuration page for that particular interface.

Click the edit button next to the interface to change additional settings.
Click the edit button next to the interface to change additional settings.

To select the rule categories that should be enabled for the interface, click on the categories tab. All of the detection rules are divided into categories. Categories containing rules from Emerging Threats will begin with 'emerging,' and rules from Snort.org begin with 'snort.'

After selecting the categories, click the save button at the bottom of the page.

Select the detection rule categories that you want to enable.
Select the detection rule categories that you want to enable.

What is the purpose of rule categories?

By dividing the rules into categories, you can enable only the particular categories you are interested in. I recommend enabling some of the more general categories. If you are running specific services on your network such as a web or database server, then you should enable categories pertaining to them as well.

It's important to remember that Snort will require more system resources each time an additional category is turned on. This can also increase the number of false positives, as well. In general, it's best to turn on only the groups you need, but feel free to experiment with the categories and see what works best.

How can I obtain more information about the rules categories?

If you want to find out what rules are in a category and learn more about what they do, then you can click on the category. This will link you directly to the list of all rules within the category.

Popular Snort Rule Categories

Category Name
Description
snort_botnet-cnc.rules
Targets known botnet command and control hosts.
snort_ddos.rules
Detects denial of service attacks.
snort_scan.rules
These rules detect port scans, Nessus probes, and other information gathering attacks.
snort_virus.rules
Detects signatures of known trojans, viruses, and worm. It is highly recomended to use this category.
These are some of the most popular Snort rule categories that you may want to enable.

Preprocessor and Flow Settings

There are a few settings on the preprocessors settings page that should be enabled. Many of the detection rules require HTTP inspect to be enabled in order for them to work.

  1. Under HTTP inspect settings, enable 'Use HTTP Inspect to Normalize/Decode'
  2. In the general preprocessor settings section, enable 'Portscan Detection'
  3. Save the settings.

There are some important settings on the preprocessor and flow page that must be configured for each interface.
There are some important settings on the preprocessor and flow page that must be configured for each interface.

Starting the Interfaces

When a new interface is added to Snort, it does not automatically start running. To manually start interfaces, click on the green play button on the left side of each interface that is configured.

When Snort is running, the text behind the name of the interface will appear in green. To stop Snort, click on the red stop button located on the left side of the interface.

Click thumbnail to view full-size

If Snort Fails to Start

There are a couple of common problems that can prevent Snort from starting.

  • Check the rules: To verify the installation of the rules, click on the updates tab and look for a hash under the installed signature rule set section. You should see something like SNORT.ORG >>> "59b31f005c3d4ead427cba4b02fffd70."
  • Preprocessor settings: Several of the rules require that the HTTP inspect option is enabled in the preprocessor settings, so make sure you have this feature turned on.
  • Check the system logs: If Snort encounters an error, you'll see the message in the system logs. The system logs can be found under Status/System Logs. The error will often tell you exactly what the problem is.

Checking for Alerts

After Snort has been successfully configured and started, you should begin to see alerts once traffic matching the rules is detected.

If you don't see any alerts, give it a bit of time and then check again. It can take a while before you see any alerts, depending on the amount of traffic and rules that are enabled.

If you want to view the alerts remotely, you can enable the interface setting "Send alerts to main system logs." Alerts that appear in the system logs can be viewed remotely using Syslog.

© 2011 Sam Kear

Comments

    0 of 8192 characters used
    Post Comment

    • profile image

      tibbs 8 months ago

      You are recommending snort_virus.rules, but what if ClamAV is already enabled using the squid package? Which one to prefer? Snort with snort_virus.rules or ClamAV? Is not it needless to activate both?

    • profile image

      Pankaj Kumar 19 months ago

      On pfsense 2 according to your document I have setup snort but its blocking all the traffic even Internet also. Please help me how to rectify this problem?

    Click to Rate This Article