Snort setup in pFsense details

Posted: November 10th, 2016 | Author: | Filed under: FreeBSD, pfSense, Snort | Tags: , , , | No Comments »

Snort is an open source intrusion detection system that is available as a package on pFsense. What this means is a lot of aspects from rules to system tuning can be easily configure via the pFsense GUI.

What is Snort does? Once you have defined the networks (eg your local LAN, WAN); Snort will scan the segments the network packets with rules that you have given it. Once the packets rules are met eg I get “ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray” while using git, Snort will put out an alert in the logs and (optionally) blocks the ip address from further compromise.

What Snort doesn’t do? It is not a firewall. The rules I mentioned here are separate from the firewall. Snort in this case works in conjunction with pFsense. You can seperately install it on OpenWRT etc or have Snort installed seperately on another computer / bridge.

While the setup is straight forward via pFsense, There are a few gotchas I would like to point out, so people would avoid:

  1. Make sure your Snort computer has enough horsepower. I know a lot of readers on this blog is from openwrt world. I won’t recommend running snort with anything slower than a second generation Core processor. I said this because I ran it via pfSense on a Thinkpad T410, which has a first generation Core and it overheated and shutdown at 85C. Memory doesn’t matter (4Gb should be more than enough) but CPU horsepower does. The second generation stabilizes around 47C at ambient network connection but have been cranked up to 60-70C, when the whole family are at use.
  2. For the first little while, be prepared to check the Alerts and Blocked lists. The canned rules save you but they will also give you false alarms, so you have to be prepared to spend time (at least initially) to monitor things. When sites you used to be able to access stopped working, check the Alerts log. Snort might have blocked the site. eg Snort would block 213.230.210.230 and report “ET CNC Feodo Tracker Reported CnC Server TCP group 13”. It turns out that 213.230.210.230 is the site for one of the Ad-list repositories. So some care must be spent to monitor the traffic at least initially.
  3. Pick only the rules you need when you are sure. Under Categories section for each interface, you can pick and choose which rules you want Snort to investigate for each packet. If you are using a Linux machine with Chrome only, you can disable the ie rules and so on.
  4. Adding and / suppressing ip address and rules takes a few seconds, so be patient.

Useful References:
pFsense forum has a great section on IDS.
They also have a “crowd fueled” Suppress list which is extremely handly for new comers to get rid of most common false positives.