<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2530 " id="quads-ad2530" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<h2 class="wp-block-heading">Configuring Snort on Pfsense (will be Updated with the latest version soon)</h2>



<p>If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.</p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2525 " id="quads-ad2525" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2529 " id="quads-ad2529" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2528 " id="quads-ad2528" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>




<h2 class="wp-block-heading">Deploying Snort</h2>



<p>In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old ID/PS systems around.</p>



<p>In order to do so you will have to go to Packages from System/Packages and install it</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort01.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307024/blog/pfsense/configuring-snort-on-pfsense/pfsnort01.png" alt=""/></a> 

<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2531 " id="quads-ad2531" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>
 
</figure>



<p>After clicking on the packages button, you will get a list of packages and among them snort will be listed there</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort02.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307024/blog/pfsense/configuring-snort-on-pfsense/pfsnort02.png" alt=""/></a></figure>



<p>Click on the + on the far right to start the installation process.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort03.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307024/blog/pfsense/configuring-snort-on-pfsense/pfsnort03.png" alt=""/></a></figure>



<p>I&#8217;ll Click on Confirm to continue</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort04.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307024/blog/pfsense/configuring-snort-on-pfsense/pfsnort04.png" alt=""/></a></figure>



<p>After it&#8217;s been installed now you&#8217;ll be able to see it on the Services menu tab.<br></p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort05.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307024/blog/pfsense/configuring-snort-on-pfsense/pfsnort05.png" alt=""/></a></figure>



<p>Click on Snort and let&#8217;s go configure it.<br></p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort06.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307024/blog/pfsense/configuring-snort-on-pfsense/pfsnort06.png" alt=""/></a></figure>



<p>Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall&#8217;s rules.</p>



<h2 class="wp-block-heading">Register on Snort&#8217;s Website</h2>



<p>The websites are as following and you can find their settings under the Global settings tab in snort window</p>



<p><a href="https://www.snort.org/users/sign_up">https://www.snort.org/users/sign_up</a></p>



<p><a href="https://portal.emergingthreats.net/register">https://portal.emergingthreats.net/register</a></p>



<figure class="wp-block-image"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort07.png" alt=""/></figure>



<p>I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I&#8217;ll need to activate my account.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort08.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort08.png" alt=""/></a></figure>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort09.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort09.png" alt=""/></a></figure>



<p>I ;have ;receieved the confirmation now and I&#8217;ll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort10.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort10.png" alt=""/></a></figure>



<p>When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense. ;</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort11.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort11.png" alt=""/></a></figure>



<p>Just like this</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort12.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort12.png" alt=""/></a></figure>



<p>So after I added the code this is how my Global Settings tab looks like ; (I enabled all the other free rules as well)</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort13.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort13.png" alt=""/></a></figure>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort14.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort14.png" alt=""/></a></figure>



<p>Now I will go to Updates tab and start updating rules tab, ;After clicking update this is how it will look like: ;</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort16.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort16.png" alt=""/></a></figure>



<p>When finished this is how it&#8217;ll look like</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort17.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort17.png" alt=""/></a></figure>



<p>Back to the updates tab you&#8217;ll notice that all the enabled rules have been updated .</p>



<figure class="wp-block-image"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort15.png" alt=""/></figure>



<p>If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you&#8217;re planning to enable the LAN Interface or Public IP if you&#8217;re planning to include WAN Interface).</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort18.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort18.png" alt=""/></a></figure>



<p>In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.</p>



<p>In order to create an Alias List, click on Firewall Tab and scroll to Alias</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort19.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307293/blog/pfsense/configuring-snort-on-pfsense/pfsnort19.png" alt=""/></a></figure>



<p>Once in IP list page click on the + button far right to add the Ips that you would like to pass.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort20.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort20.png" alt=""/></a></figure>



<p>From type select the type of hosts that you&#8217;d like to include there, for me I&#8217;d like to include only a couple of Ips</p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2523 " id="quads-ad2523" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>




<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort21.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort21.png" alt=""/></a></figure>



<p>Click Save and Apply then Close then go back to Snort&#8217;s Pass Lists and click on + to add new Pass list.</p>



<p>Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save. ;</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort22.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort22.png" alt=""/></a></figure>



<p>Once saved, this is how the pass lists is going to look like</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort23.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort23.png" alt=""/></a></figure>



<p>Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I&#8217;ll click on Snort Interfaces tab and click + to add the new interface</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort24.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort24.png" alt=""/></a></figure>



<p>Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort25.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort25.png" alt=""/></a></figure>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort26.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort26.png" alt=""/></a></figure>



<p><strong>Here from Pass List I will select the list which I&#8217;ve created in the Pass List tab</strong></p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort27.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort27.png" alt=""/></a></figure>



<p>As you can see below when ;the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort28.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort28.png" alt=""/></a></figure>



<p>After enabling the WAN interface you will have to go define some rules and enable them.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort29.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort29.png" alt=""/></a></figure>



<p>Let&#8217;s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort30.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307294/blog/pfsense/configuring-snort-on-pfsense/pfsnort30.png" alt=""/></a></figure>



<p>We should go to ;<strong>WAN Categories</strong> ;and select different category in order to apply rules.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort38.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort38.png" alt=""/></a></figure>



<p><strong>Note:</strong></p>



<p>Enabling all rules might affect your VM or PM&#8217;s processor performance.</p>



<p>Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community. ;</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort39.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort39.png" alt=""/></a></figure>



<p>Once added, you will have to apply changes and then click on Apply …. And for any reason if the service did not start as in the below snapshot then you should navigate to Status tab and check the &#8220;System Logs&#8221;</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort40.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort40.png" alt=""/></a></figure>



<p>In System logs I noticed the following error:</p>



<p>snort[13270]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_6026_de0/rules/snort.rules(427) Unknown rule option: &#8216;sd_pattern&#8217;.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort41.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort41.png" alt=""/></a></figure>



<p>After doing some digging on this error it seems that it&#8217;s caused by the rule &#8220;Sensitive Data&#8221; and after disabling all the rule set in this rule I was able to start Snort on WAN again.</p>



<p>To disable the rules simply click on the &#8220;<strong>Disable all rules in the current Category</strong>&#8221; ;</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort42.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort42.png" alt=""/></a></figure>



<p>When this is done, I will test snort if it&#8217;s working by simply try to hack into pfsense&#8217;s portal by using wrong passwords for let&#8217;s say 10/20 times and see if my IP will get blocked (I&#8217;ll use a different Public IP which is not in the pass lists)..</p>



<p>After trying about 7 attempts with wrong username and password I tried refreshing the page</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort34.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort34.png" alt=""/></a></figure>



<p>Here is what I got</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort35.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort35.png" alt=""/></a></figure>



<p>I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort36.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort36.png" alt=""/></a></figure>



<p>As you can see below the IP has been blocked and the alert description ;says it as it is (http_inspection)</p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2522 " id="quads-ad2522" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>




<p>So that means that our snort works as it&#8217;s supposedly expected to.</p>



<figure class="wp-block-image"><a href="http://old.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense/pfsnort37.png?attredirects=0"><img src="http://old.moh10ly.com/_/rsrc/1431547307295/blog/pfsense/configuring-snort-on-pfsense/pfsnort37.png" alt=""/></a></figure>
</p>
<!-- WP QUADS Content Ad Plugin v. 2.0.92 -->
<div class="quads-location quads-ad2524 " id="quads-ad2524" style="float:none;margin:0px 3px 3px 3px;padding:0px 0px 0px 0px;" data-lazydelay="0">

</div>


Reset and manage your Active Directory users' Passwords Active Directory is one of the most…
Finding Exchange Database hidden mailboxes. Story:Maybe you have been in this situation before, trying to…
If you're using a Proxy server in your firewall or in your network and have…
Story:I got some clients that have reported some of their users being locked out and…
Delegate Permissions This is a code that I have wrote recently to check if an…
Story: I got a request from a client who constantly gets CVs and have to…