Snort is well-known open source IDS/IPS which is integrated with several firewall distributions such as IPfire, Endian and PfSense. In this tutorial, our focus is installation, configuration of snort and rules on PfSense firewall. Snort needs packet filter (pf) firewall to provide IPS feature which is also available in this distribution.
All software’s of Pfsense firewall are available in the Packages sub menu . Go to System menu and select packages from drop down menu list.
Click on Available Packages tab for different category of software’s .
Available Packages shows following sub menu options. Snort is an open source security tool, therefore click on security menu to list down available packages for installation on PfSense.
Installation of any new package on Pfsense , requires confirmation from firewall administrator which is shown below.
After confirmation, snort installation is shown in following snapshot
Snort installation is shown below and more instruction are also given for further setting.
Snort setup instructions are shown in the above figure.
After successful information of snort on Pfsense, now we will configure snort on LAN interface for port scan detection. Snort is available in the services menu after installation.
Following snapshot appears after clicking on the snort sub menu.
Snort either run on LAN or WAN interface of Pfsense. Therefore we have to create lan and wan interfaces setting by clicking on icon.
LAN interface setting are shown below. We have checked the IPS options like block offenders and kill their states
Interface added for LAN and currently snort is not running on it. Click on cross (X) button to start Snort ids service on LAN interface.
As shown in the following snapshot snort is running on LAN interface.
Warning notification is shown in the above figure. Therefore snort rules should be added after rules updates step.
Following screen appears after clicking on the Global setting menu for the installation of rules of snort.
Login on snort web site and generates Onikcode to download “Snort VRT” rules.
Click on the Oinkcode on left side to get Oinkcode.
Again go to Global settings menu and enter Oinkcode to download Snort VRT rules.
Now go to Updates menu to check the status of different rules. Click on the Update button to download or update snort rules on Pfsense.
Click on the Update button to install rules on the snort. Rule update step is shown in the below figure. We have installed snort community ,VRT ,emerging threats rules.
Before moving to next menu of snort, again click on the Snort interfaces tab and select LAN for editing.
After clicking on edit button, select LAN Categories option for snort rules. Select desirable rules from this comprehensive list for LAN interface.
After installation of snort rules on Pfsense, next option is alerts menu.
Snort with packet filter (filter) gives capability of blocking malicious IP. Blocked IP’s will be shown on the following snapshot.
It is very common on the network that administrator ensures white listing of IP’s. By default Local LAN is usually in the Pass List.
Suppress menu is shown in the following snapshot. It is used to block false positive alerts.
List of malicious ip addresses can be loaded on Pfsense in the snort configuration. Incoming traffic from the ip addresses stored in the reputation list will be considered as the malicious.
Setting relevant to log management are shown in the following menu.
In this tutorial, we have explored the Snort IDS/IPS which is an open source security software integrated with PfSense firewall. Snort works perfectly with packet filter (pf) based firewall . IPS feature of snort block the malicious or illegal IP’s for network protection . It is very stable on Pfsense firewall and easily configured using graphical front end