wiki:netsec2018snort

Pfsense with SNORT

The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface.

There are two ways of installing pfSense.

  • Full installation
  • Embedded Installation

For more details on pfSense installation you may refer previous workshop Here you are going deploy a pre-installed Oracle Virtual Box machine and a linux GUI box to configure SNORT and do some testing.

Setting up VM's

  • Import them in to Oracle virtual box from File Import Appliance
  • While importing make sure to Tick reinitialize the MAC address of all your network cards.
  • Our lab network will be,
    ---LAN or WiFi Your Host Machine  - - > Bridge Port -- - >ETH0 -- pfsense
    									       |
    									   ETH1
    									       |
    					              	Linux Box  < - -
    
  • Please double check your vm network connections before powering on them.
  • If all settings are satisfying, power on both Virtual Machines.

Network Setup

Once they are booted go to your Linux Box and open the firefox browser.Go to https://192.168.1.1

  • Default Credentials will be admin/pfsense
  • You may change the WAN IP Address of your pfSense instance by visiting Interfaces > WAN
  • Change IPv4 Configuration Type to Static IPv4.

  • Enter your WAN address according to the table.
  • Enter subnet mask as 255.255.255.0
  • Add a new Gateway with the ip address 192.248.6.254
  • Do the same for IPv6 configurations, your gateway will be 2401:dd00:…..

Note : At the moment use DHCP for IPv6

At this point we may not change any LAN settings.

Snort

Lab pfsense is pre-installed with snort with default settings. But if you need to install it in your own instance, go to Package Manager and Search for snort from Available Packages list and install.

Once installed you can configure one of more instances of SNORT to run within pfSense. Each SNORT instance runs with individual settings and against a particular virtual interface.

Launching Snort configuration GUI

  • To launch the Snort configuration application, navigate to Services > Snort from the menu in pfSense.

Setting up Snort package for the first time

  • Click the Global Settings tab and enable the rule set downloads to use.
  • Select Enable Snort GPLv2 , Enable ET Open, Enable OpenAppID, Enable RULES OpenAppID

(If either the Snort VRT or the Emerging Threats Pro rules are checked, a text box will be displayed to enter the unique subscriber code obtained with the subscription or registration.)

  • Once the desired rule sets are enabled, next set the interval for Snort to check for updates to the enabled rule packages. Use the Update Interval drop-down selector to choose a rule update interval. In most cases every 12 hours is a good choice.
  • The update start time may be customized if desired.
  • Finally Save the configurations.

Update the rules

The Updates tab is used to check the status of downloaded rules packages and to download new updates. The table shows the available rule packages and their current status (not enabled, not downloaded, or a valid MD5 checksum and date).

  • Click on the Update Rules button to download the latest rule package updates. If there is a newer set of packaged rules on the vendor web site, it will be downloaded and installed. The FORCE button can be used to force download of the rule packages from the vendor web site no matter previous version.

Add Snort to an interface

  • Click the Snort Interfaces tab and then the Add icon to add a new Snort interface.
  • A new Interface Settings tab will open with the next available interface automatically selected. We will add the detection to WAN interface. The interface selection may be changed using the Interface drop-down if WAN is not automatically selected.
  • A descriptive name may also be provided for the interface. Other interface parameters may also be set on this page. Be sure to click the SAVE button down at the bottom of the page when finished.
  • After saving, the browser will be returned to the Snort Interfaces tab, Click on the pencil icon on Actions list of the WAN interface.
  • Click WAN Categories. Then Click on the Select All and Save. This will select all rules on the selected categories to be active for IDS.
  • Now click the Snort Interfaces link and go back to Interface Settings Overview.
  • To start the IDS click the start button on Snort Status column.
  • Next Click on the Alerts link and tick the Auto-refresh if it’s not already selected.
  • On a new tab do some browsing and check whether are there any detections.

If you see lots of alerts from a single rule then it is can be a false positive. You have to go back to the interface edit on snort and on WAN Rules you may disable that specific Rule/s. But be careful in disabling rules as it might create new loop holes in your analysis.

On the WAN Rules page you can select your rule by its category. Once the rule is found you can disable a working rule by clicking on the green icon or vice versa.

Creating Custom Rules

  • Select WAN Rules -- > Category Selection -- > custom.rules

  • Type in the custom rules, save them and check whether they are working. (To see the best of your custom rules, first deselect all categories from the WAN Categories)
  • If you see lots of false positives or false negative, you might consider fine tuning your rules.
    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "SSH Detected"; sid:10; rev:1;)
    

The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are called option keywords. Eg: To trigger any tcp flows, alert tcp any any -> any any (msg: "Testing Alert" ; sid:1000001; rev:1) Where,

Rule Header alert – Rule action. Snort will generate an alert when the set condition is met. tcp – protocol any – Source IP. Snort will look at all sources. any – Source port. Snort will look at all ports. -> – Direction. From source to destination. (-> and <> are the valid directions) any – Destination IP. any – Destination port. Snort will look at all ports on the protected network.

Rule Options msg:”Testing Alert” – Snort will include this message with the alert. sid:1000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are starting with 1000001 (you may use any number, as long as it’s greater than 1,000,000). rev:1 – Revision number. This option allows for easier rule maintenance.

  • Now try your own rules.
    alert tcp 192.248.x.x any -> $HOME_NET 21 (msg:”FTP connection attempt from LEARN”; sid:1000002; rev:1;)
    

Snort as an IPS

All what we saw was IDS function of the Snort. Now let us see how to block potential threats according to the alerts.

  • Go back to Snort Interface settings by clicking the pencil mark in front of your Snort Interface.
  • Under the WAN settings tick “Block Offenders” and Save. This will block any IP address that will trigger an alert.
  • Check Block Addresses
  • Go to “Blocked” in Services>Snort to check the blocked IP addresses, You may also manage any address in the list if needed.

IPS settings to block torrents

Following is an example steps in blocking torrent traffic. But if the traffic is encrypted you may not see any good results.

  • Go to:

Services > Snort > Snort Interfaces > WAN > WAN Categories

  • Deselect all Rule Categories from the interface.

  • Select the categories that includes “p2p” and Save.

Make sure Block offenders are ticked in your interface settings.

  • You may check the blocked IP details from Blocked page. Also you should consider blocking all non-essential ports as well.

Note: We highly not recommend putting a IPS in a high traffic path as the IPS function will become a bottleneck to the whole network.

Last modified 17 months ago Last modified on Jun 13, 2018, 9:57:39 AM