Configuring the Snort Package — pfSense Documentation (2024)

Launching Snort configuration GUI¶

To launch the Snort configuration application, navigate to Services >Snort from the menu in the pfSense webGUI.

Setting up Snort package for the first time¶

Click the Global Settings tab and enable the rule set downloads touse. If either the Snort VRT or the Emerging Threats Pro rules arechecked, a text box will be displayed to enter the unique subscribercode obtained with the subscription or registration.

More than one rule set may be enabled for download, but note thefollowing caveats. If a paid subscription is available for the Snort VRTrules, then all of the Snort GPLv2 Community rules are automaticallyincluded within the file downloaded with the Snort VRT rules; therefore,do not enable the GPLv2 Community rules if a paid-subscriber account isused for the Snort VRT rules. All of the Emerging Threats Open rules areincluded within the paid subscription for the Emerging Threats Prorules. If the Emerging Threats Pro rules are enabled, the EmergingThreats Open rules are automatically disabled.

Once the desired rule sets are enabled, next set the interval for Snortto check for updates to the enabled rule packages. Use the UpdateInterval drop-down selector to choose a rule update interval. In mostcases every 12 hours is a good choice. The update start time may becustomized if desired. Enter the time as hours and minutes in 24-hourtime format. The default start time is 3 minutes past midnight localtime. So with a 12-hour update interval selected, Snort will check theSnort VRT or Emerging Threats web sites at 3 minutes past midnight and 3minutes past noon each day for any posted rule package updates.

Update the rules¶

The Updates tab is used to check the status of downloaded rulespackages and to download new updates. The table shows the available rulepackages and their current status (not enabled, not downloaded, or avalid MD5 checksum and date).

Click on the Update Rules button to download the latest rule packageupdates. If there is a newer set of packaged rules on the vendor website, it will be downloaded and installed. The determination is made bycomparing the MD5 of the local file with that of the remote file on thevendor web site. If there is a mismatch, a new file is downloaded. TheFORCE button can be used to force download of the rule packages fromthe vendor web site no matter how the MD5 hash tests out.

In the screenshot below, the Snort VRT and Emerging Threats Open rulepackages have been successfully downloaded. The calculated MD5 hash andthe file download date and time are shown. Also note the last updatetime and result are shown in the center of the page.

Add Snort to an interface¶

Click the Snort Interfaces tab and then the icon to add a newSnort interface.

A new Interface Settings tab will open with the next available interfaceautomatically selected. The interface selection may be changed using theInterface drop-down if desired. A descriptive name may also beprovided for the interface. Other interface parameters may also be seton this page. Be sure to click the SAVE button down at the bottom ofthe page when finished.

After saving, the browser will be returned to the Snort Interfacestab. Note the warning icons in the image below showing no rules havebeen selected for the new Snort interface. Those rules will beconfigured next. Click the icon (shown highlighted with a red box inthe image below) to edit the new Snort interface again.

Select which types of rules will protect the network¶

Click the Categories tab for the new interface.

If a Snort VRT Oinkmaster code was obtained (either free registered useror the paid subscription), enabled the Snort VRT rules, and entered theOinkmaster code on the Global Settings tab then the option of choosingfrom among three pre-configured IPS policies is available. These greatlysimplify the process of choosing enforcing rules for Snort to use wheninspecting traffic. The IPS policies are only available when the SnortVRT rules are enabled.

The three Snort VRT IPS Policies are: (1) Connectivity, (2) Balanced and(3) Security. These are listed in order of increasing security. However,resist the temptation to immediately jump to the most secure Securitypolicy if Snort is unfamiliar. False positives can frequently occur withthe more secure policies, and careful tuning by an experiencedadministrator may be required.

If the Snort VRT rules were not enabled, or if any of the other rulepackages are to be used, then make the rule category selections bychecking the checkboxes beside the rule categories to use.

Be sure to click SAVE when finished to save the selection and buildthe rules file for Snort to use.

Starting Snort on an interface¶

Click the Snort Interfaces tab to display the configured Snort interfaces.Click the icon (shown highlighted with a red box in the imagebelow) to start Snort on an interface.

It will take several seconds for Snort to start. Once it has started, the iconwill change to as shown below. To stop a running Snortinstance on an interface, click the icon.

Select which types of signatures will protect the network¶

Click the Rules tab for the interface to configure individual rulesin the enabled categories. Generally this page is only used to disableparticular rules that may be generating too many false positives in aparticular network environment. Be sure they are in fact truly falsepositives before taking the step of disabling a Snort rule!

Select a rules category from the Category drop-down to view all the assignedrules. Click the or icon at the far-leftof a row to toggle the rule’s state from enabled to disabled, or click or to toggle from disabled to enabled. Theicon will change to indicate the state of the rule. At the top of the rule listis a legend showing the icons used to indicate the current state of a rule.

Define servers to protect and improve performance¶

Managing blocked hosts¶

The Blocked tab shows what hosts are currently being blocked bySnort (when the block offenders option is selected on the InterfaceSettings tab). Blocked hosts can be automatically cleared by Snort atone of several pre-defined intervals. The blocking options for aninterface are configured on the Snort Interface Settings tab for theinterface.

Managing Pass lists¶

Pass Lists are lists of IP addresses that Snort should never block.These may be created and managed on the Pass Lists tab. When an IPaddress is listed on a Pass List, Snort will never insert a block onthat address even when malicious traffic is detected.

To create a new Pass List, click . To edit an existing Pass List,click the . To delete a Pass List, click . Note that a Pass Listmay not be deleted if it is currently assigned to one or more Snortinterfaces.

A default Pass List is automatically generated by Snort for everyinterface, and this default list is used when no other list isspecified. Pass Lists are assigned to an interface on the InterfaceSettings tab.

Customized Pass List may be created and assigned to an interface. Thismight be done when trusted external hosts exist that are not located onnetworks directly connected to the firewall. To add external hosts inthis manner, first create an Alias under Firewall > Aliases and thenassign that alias to the Assigned Aliases field. In the exampleshown below, the alias “Friendly_ext_hosts” has been assigned. Thisalias would contain the IP addresses of the trusted external hosts.

When creating a custom Pass List, leave all the auto-generated IPaddresses checked in the Add auto-generated IP addresses section.Not selecting the checkboxes in this section can lead to blocking ofcritical addresses including the firewall interfaces themselves. Thiscould result in being locked out of the firewall over the network! Onlyuncheck boxes in this section when absolutely necessary.

Click the ALIASES button to open a window showing previously definedaliases for selection. Remember to click SAVE to save changes.

Alert Thresholding and Suppression¶

Suppression Lists allow control over the alerts generated by Snortrules. When an alert is suppressed, then Snort no longer logs an alertentry (or blocks the IP address if block offenders is enabled) when aparticular rule fires. Snort still inspects all network traffic againstthe rule, but even when traffic matches the rule signature, no alertwill be generated. This is different from disabling a rule. When a ruleis disabled, Snort no longer tries to match it to any network traffic.Suppressing a rule might be done in lieu of disabling the rule whenalerts should only be stopped based on either the source or destinationIP. For example, to suppress the alert when traffic from a particulartrusted IP address is the source. If any other IP is the source ordestination of the traffic, the rule would still fire. To eliminate allalerts from the rule, then it is more efficient to simply disable therule rather than to suppress it. Disabling the rule will remove it fromSnort’s list of match rules and therefore makes for less work Snort hasto do.

On the Suppress List Edit page, a new suppress list entry may bemanually added or edited. It is usually easier and faster to addsuppress list entries by clicking shown with the alert entries onthe Alerts tab. Remember to click the SAVE button to savechanges when manually editing Suppress List entries.

Getting to know the alerts¶

The Alerts tab is where alerts generated by Snort are viewed. IfSnort is running on more than one interface, choose the interface whosealerts should be viewed in the drop-down selector.

Use the DOWNLOAD button to download a gzip tar file containing allof the logged alerts to a local machine. The CLEAR button is used toerase the current alerts log. Destination IP’s have been redacted fromthe screenshot.

Alert Details

The Date column shows the date and time the alert was generated. Theremaining columns show data from the rule that generated the alert.

In the Source, Destination columns are icons for performingreverse DNS lookups on the IP addresses as well as a icon used to addan automatic Suppress List entry for thealert using the IP address and SID (signature ID). This will prevent futurealerts from being generated by the rule for that specific IP address only. Ifeither of the Source or Destination addresses are currently being blocked bySnort, then a icon will also be shown. Clicking that icon will removethe block for the IP address.

The SID column contains two icons. The icon willautomatically add that SID to the SuppressList for theinterface and suppress future alerts from the signature for all IPaddresses. The icon in the SID column will disable therule and remove it from the enforcing rule set. When a rule is manuallydisabled, the icon in the SID column changes to .

Application ID detection with OpenApp ID¶

OpenAppID is an application-layer network security plugin for the opensource intrusion detection system Snort. Learn more about ithere.

Enabling OpenAppID and its rules is done from Snort Global Settings.Select both checkboxes to enable detectors and rules download. Save thepage.

After enabling the detectors and rules go to Snort Updates tab and clickon Update Rules. Wait for all the rules to update. Once done, thepage will show OpenAppID detectors and rules have been updated.

The following steps assume you have already added Snort interface toyour LAN interface. Edit the LAN interface and navigate to LANcategories tab. When there, make sure the Snort OPENAPPID Rules fromthe right column are all selected and click Save.

Lastly, while still editing Snort interface, navigate to LANPreprocessor tab.

Scroll down to Application ID Detection section and select bothEnable and AppID Stats Logging checkboxes. Save the page theOpenApp ID will be activated on the Snort interface.

Viewing detected applications can be done from Alerts tab. Thefollowing screenshots are examples of identified services andapplications:

Facebook

Netflix

Reddit

Amazon Web Services

iCloud

Twitter

Known issues¶

Package Support¶

This package is currently supported by Netgate Global Support to those with an activesupport subscription.