Here are the steps for a very quick and easy initial setup of the Snort package on pfSense for new users
1. Go to the Available Packages
tab under the System
menu and install the snort
2. When the installation completes, click on Snort
under the Services
menu. This will open the Snort main setup page.
3. Click the Global Settings
tab and perform the following:
Change the "Update Rules Automatically
" drop-down to 12-hours.
Near the bottom of the page, click the box for "Keep Snort settings after deinstall
At the top of the page you have three choices for Rule Sets to activate. I recommend strongly that you obtain your own Oinkcode from Snort.org by clicking the URLs under the radio button for "Install Basic Rules or Premium Rules
". You can sign up for a free "Registered User" account, or pay $29 annually for a "Subscriber Account". The paid account gets rule updates at least twice per week, and sometimes more. Registered User free accounts only get rules as they age past 30 days. That means your rules are 30 days old. That's why the paid account is preferred.
Another option is the free Emerging Threats Rule Set. This one contains quite current rules and is quick to adapt to new threats, but it does not offer the easy pre-defined policies the Snort VRT rules do. For beginners, the choices in the Emerging Threats rules can be a bit overwhelming. I recommend the Snort VRT rules, and this means you need either a free or paid Oinkcode.
Now back to the setup --
4. Click the radio button to "Install Basic Rules or Premium Rules
5. Assuming you followed my advice above, paste your new Oinkcode in the text box provided. Paste just your Oinkcode itself. Do not include URL or filename! Snort handles those using built-in values.
6. Click Save
7. Next, go to the Updates
tab and click the Update
button to download your rules. Don't worry when it warns you about no configured interfaces. We will set that next.
8. Click the Snort Interfaces
tab and then click the plus "+
" icon to add a Snort interface.
9. On the If Settings
tab, click the Enable
10. In the drop-down, choose the interface. The WAN interface is the default and is a good first choice.
11. In the Description
textbox, enter a name (WAN again, is fine here).
12. Click the checkbox to "Send alerts to the main System logs
13. You can leave the other settings at their defaults, but one setting you can usually safely enable is the "Checksum Check Disable
14. Click Save
and you will be returned to the main Snort Interfaces
15. Click the small "e
" next to your interface to edit more settings.
16. Click the Preprocessors
17. Scroll down into the General Preprocessor Settings
area and then check (or enable) all of the preprocessors listed in that section EXCEPT
the Sensitive Data
preprocessor. It can cause a lot of alerts and is best used after you gain some experience with Snort.
18. Click Save
at the bottom of the page.
19. Now click on the Categories
tab. This is where we will choose a threat detection policy and associated rules.
20. If you followed my advice for Snort VRT rules, this page is easy. Just click the check box for "Use IPS Policy
" and then select "Connectivity
" in the drop-down. Click Save
and you're done! Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies. I personally run "Balanced
", but it will require some tuning if run in blocking mode.
21. Go back to the main Snort Interfaces
22. Click the green icon under the Snort column for your interface. After several seconds it will turn into a red X
icon if Snort starts up.
23. Congratulations! You have an operable Snort IDS (Intrusion Detection System). Alerts can be viewed on the Alerts
tab. After you gain experience, you can put Snort in blocking mode (IPS) by checking the "Block Offenders
" box on the If Settings
tab for the interface.
24. If Snort failed to start for you, click Status
and System Logs
from the pfSense menu to examine the system log. You should find a clue for Snort not starting in there. Probably one of the most common reasons for failing to start is a preprocessor dependency in an enabled rule. Stated another way, an enabled rule contains a rule option
or content option
that relies on a preprocessor that is currently disabled. This is why I recommend turning on pretty much all of the preprocessors back up in Step 17. That avoids these kinds of FATAL ERROR problems on Snort startup. As you gain experience and knowledge with Snort, you can selectively disable preprocessors you truly do not need. For an explanation of preprocessors and their associated rule options, have a look at the Snort Manual at http://manual.snort.org/node17.html