Configuring Snort on Pfsense
If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.
In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old IDPS systems around.
In order to do so you will have to go to Packages from System/Packages and install it
After clicking on the packages button, you will get a list of packages and among them snort will be listed there
Click on the + on the far right to start the installation process.
I'll Click on Confirm to continue
After it's been installed now you'll be able to see it on the Services menu tab.
Click on Snort and let's go configure it.
Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall's rules.
The websites are as following and you can find their settings under the Global settings tab in snort window
I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I'll need to activate my account.
I have receieved the confirmation now and I'll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.
When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense.
Just like this
So after I added the code this is how my Global Settings tab looks like (I enabled all the other free rules as well)
Now I will go to Updates tab and start updating rules tab, After clicking update this is how it will look like:
When finished this is how it'll look like
Back to the updates tab you'll notice that all the enabled rules have been updated .
If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you're planning to enable the LAN Interface or Public IP if you're planning to include WAN Interface).
In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.
In order to create an Alias List, click on Firewall Tab and scroll to Alias
Once in IP list page click on the + button far right to add the Ips that you would like to pass.
From type select the type of hosts that you'd like to include there, for me I'd like to include only a couple of Ips
Click Save and Apply then Close then go back to Snort's Pass Lists and click on + to add new Pass list.
Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save.
Once saved, this is how the pass lists is going to look like
Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I'll click on Snort Interfaces tab and click + to add the new interface
Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .
Here from Pass List I will select the list which I've created in the Pass List tab
As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.
After enabling the WAN interface you will have to go define some rules and enable them.
Let's define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.
We should go to WAN Categories and select different category in order to apply rules.
Enabling all rules might affect your VM or PM's processor performance.
Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community.
Once added, you will have to apply changes and then click on Apply …. And for any reason if the service did not start as in the below snapshot then you should navigate to Status tab and check the "System Logs"
In System logs I noticed the following error:
snort: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_6026_de0/rules/snort.rules(427) Unknown rule option: 'sd_pattern'.
After doing some digging on this error it seems that it's caused by the rule "Sensitive Data" and after disabling all the rule set in this rule I was able to start Snort on WAN again.
To disable the rules simply click on the "Disable all rules in the current Category"
When this is done, I will test snort if it's working by simply try to hack into pfsense's portal by using wrong passwords for let's say 10/20 times and see if my IP will get blocked (I'll use a different Public IP which is not in the pass lists)..
After trying about 7 attempts with wrong username and password I tried refreshing the page
Here is what I got
I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was
As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)
So that means that our snort works as it's supposedly expected to.