Tuesday, September 23, 2014

pfSense on a Firebox Part 2: Snort

The main reason I wanted to install pfSense was for Snort. It turns your firewall into an IPS/IDS system which will utilize Snort's signature database for detection, and the best thing is it's all open-source! Snort is actually now owned by Cisco after their acquisition of Sourcefire last year - hopefully we'll be seeing it pay off when they update their IPS line.

First things first, we need to install the packages, luckily pfSense has a package-manager built in. Navigate to System> Packages and select the Available Packages tab, peruse through the list and find snort and hit install.


While it's installing head over to snort.org and sign up as you need to register to get access to it's signature database. Once you've confirmed your email, click on your username at the top right and go to Oinkcode, you'll see a long hash; keep this tab open as you'll need it once snort is done installing.

After it's done, the first thing you want to do is update it's signature database, to do this go to Services> Snort then select the Global Settings tab. Here you can put your Oinkcode in the corresponding field, select your type of update (snort VRT rules), you can also select update check intervals, I left mine on manual as this isn't a production box - if it was, you'd want it at about once per day. Now go to the Update tab and check for updates; it should take a few minutes to download everything.

Now that you have your updated signature database, you need to bind an interface. This tells snort which interfaces on your box to listen to for signature matches.

Go to Snort Interfaces and select new; you'll see a new list of options come up. Keep your interface as your WAN (unless you want to sniff internal traffic, which isn't always a bad thing, especially when you have a DMZ)

Select Block offenders; an easy practice to tune this is to drop the shun time down to something manageable; if you have perma-blocks on you'll be constantly having to go in and reviewing blocks, this way you can block signature matches and check them later for further investigation - this gives you a bit of peace of mind without being overly paranoid. Back in Global Settings you can select "Remove blocked hosts interval" - I set mine to 1hr as suggested. I left my search method as AC-BNFA because I am definitely using a low end system (1.6GHz Celeron!)

Everything else I also kept as default - for now.

In the WAN Categories tab you can select your IPS policy, or specific rules. I opted to use a pre-defined policy - Balanced. Once you enabled that you can see a list of rules in the WAN Rules tab - balanced enables just over 1500 and disable them as you please.

In the Preproc tab, you can enable Portscan Detection if you so desire - I'm going to leave this blank as I intend on installing Strikeback.



In the Pass Lists tab you can specify your white lists; hosts or subnets which snort will ignore.

Theres a million other settings you can go through that I honestly don't care about for this small project - but if you stop here like I did you should have more than enough protection for a SOHO network :)

You can see any signature detection under the Alerts tab and blocked hosts in the Blocked tab - unfortunately it doesn't look like snort on pfSense can do packet captures like Cisco's IPS's can with Wireshark being built-in.


No comments:

Post a Comment