[pfSense] – Install and configure Snort in pfSense

Snort is well-known open source IDS/IPS which is integrated with several firewall distributions such as IPfire, Endian and PfSense. In this tutorial, our focus is installation, configuration of snort and  rules on PfSense firewall. Snort needs packet filter (pf) firewall to provide IPS feature which is also available in this distribution.

Installation

All software’s of Pfsense firewall are available in the Packages sub menu . Go to System menu and select packages from drop down menu list.
packages
Click on Available Packages tab for different category of software’s .
availablepackage
Available Packages  shows following sub menu options. Snort is an open source security tool, therefore click on security menu to list down available packages for installation on PfSense.
availablepackage options
Snort package is available under Security sub menu. Now click on the   icon_plus icon to install snort.
icon-snort
Installation of any new package on Pfsense ,  requires confirmation from firewall administrator which is shown below.
confirm
After confirmation, snort installation is shown in following snapshot
snort installation 1
Snort installation is shown below and  more instruction are also given for further setting.
snort installation complete
Snort setup instructions are shown in the above figure.

Snort Configuration

After successful information of snort on Pfsense, now we will configure snort on LAN interface for port scan detection. Snort is available in the services menu after installation.
snort in services menu
Following snapshot appears after clicking  on the snort sub menu.
services all menu
Snort either run on LAN or WAN interface of Pfsense. Therefore we have to create lan and wan interfaces setting by clicking on icon_plus icon.
snort interfac setting
LAN interface setting are shown below. We have checked the IPS options like block offenders and kill their states
snort interface setting-lan
Interface added for LAN and  currently snort is not running on it. Click on  cross (X) button to start Snort ids service  on LAN interface.
snort interface added
As shown in the following snapshot snort is running on LAN interface.
snort interface running
Warning notification is shown in the above figure. Therefore snort rules should be  added after rules updates step.
Following screen appears after clicking on the Global setting menu for the installation of rules of snort.
snort rules under global setting
Login on snort web site and generates  Onikcode to download “Snort VRT” rules.
oinkcode
Click on the Oinkcode on left side to get  Oinkcode.
oinkcode code
Again go to Global settings menu and enter Oinkcode to download Snort VRT rules.
enter oinkcode on snort setting
Now go to Updates menu to check the status of different rules. Click on the Update button to download or update snort rules on Pfsense.
updates menu
Click on the Update button to install rules  on the snort. Rule update step  is shown in the below figure. We have installed snort community ,VRT ,emerging threats rules.
updates rules
Before moving to next menu of snort, again click on the Snort interfaces tab and select LAN for editing.
lan interface
After clicking on edit button, select LAN Categories  option for snort rules. Select desirable rules from this comprehensive list for LAN interface.
snort rules
After installation  of  snort rules on Pfsense, next option is alerts menu.
alerts
Snort with packet filter (filter) gives capability of blocking malicious IP.  Blocked IP’s will be shown on the following snapshot.
blocked
It is very common on the network that administrator ensures white listing of IP’s. By default Local LAN is usually in the Pass List.
pass list
Suppress menu is shown  in the following snapshot. It is used to block false positive alerts.
suppressList of malicious ip addresses can be loaded on Pfsense in the snort configuration. Incoming traffic from the ip addresses stored in the reputation  list will be considered as the malicious.
ip listSetting for signatures ID (SID) of snort rules is managed using this menu.
sid mgmt
Setting relevant to log management are  shown in the following menu.
log management

Conclusion

In this tutorial, we have explored the Snort IDS/IPS which is an open source security software integrated with PfSense firewall. Snort works perfectly with packet filter (pf) based firewall . IPS feature of snort block the malicious or illegal IP’s for network protection . It is very stable on Pfsense firewall  and easily configured using graphical front end
Advertisements

2 thoughts on “[pfSense] – Install and configure Snort in pfSense

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s