Here are the steps for a very quick and easy initial setup of the Snort package on pfSense for new users1. Go to the
Available Packages tab under the
System menu and install the
snort package.
2. When the installation completes, click on
Snort under the
Services menu. This will open the Snort main setup page.
3. Click the
Global Settings tab and perform the following:
Change the "
Update Rules Automatically" drop-down to 12-hours.
Near the bottom of the page, click the box for "
Keep Snort settings after deinstall"
At the top of the page you have three choices for Rule Sets to activate. I recommend strongly that you obtain your own Oinkcode from Snort.org by clicking the URLs under the radio button for "
Install Basic Rules or Premium Rules". You can sign up for a free "Registered User" account, or pay $29 annually for a "Subscriber Account". The paid account gets rule updates at least twice per week, and sometimes more. Registered User free accounts only get rules as they age past 30 days. That means your rules are 30 days old. That's why the paid account is preferred.
Another option is the free Emerging Threats Rule Set. This one contains quite current rules and is quick to adapt to new threats, but it does not offer the easy pre-defined policies the Snort VRT rules do. For beginners, the choices in the Emerging Threats rules can be a bit overwhelming. I recommend the Snort VRT rules, and this means you need either a free or paid Oinkcode.
Now back to the setup --
4. Click the radio button to "
Install Basic Rules or Premium Rules".
5. Assuming you followed my advice above, paste your new Oinkcode in the text box provided. Paste just your Oinkcode itself. Do not include URL or filename! Snort handles those using built-in values.
6. Click
Save.
7. Next, go to the
Updates tab and click the
Update button to download your rules. Don't worry when it warns you about no configured interfaces. We will set that next.
8. Click the
Snort Interfaces tab and then click the plus "
+" icon to add a Snort interface.
9. On the
If Settings tab, click the
Enable checkbox.
10. In the drop-down, choose the interface. The WAN interface is the default and is a good first choice.
11. In the
Description textbox, enter a name (WAN again, is fine here).
12. Click the checkbox to "
Send alerts to the main System logs".
13. You can leave the other settings at their defaults, but one setting you can usually safely enable is the "
Checksum Check Disable" box.
14. Click
Save and you will be returned to the main
Snort Interfaces tab.
15. Click the small "
e" next to your interface to edit more settings.
16. Click the
Preprocessors tab.
17. Scroll down into the
General Preprocessor Settings area and then check (or enable) all of the preprocessors listed in that section
EXCEPT the
Sensitive Data preprocessor. It can cause a lot of alerts and is best used after you gain some experience with Snort.
18. Click
Save at the bottom of the page.
19. Now click on the
Categories tab. This is where we will choose a threat detection policy and associated rules.
20. If you followed my advice for Snort VRT rules, this page is easy. Just click the check box for "
Use IPS Policy" and then select "
Connectivity" in the drop-down. Click
Save and you're done! Once you gain some experience with Snort, you can come back and choose one of the other two more restrictive policies. I personally run "
Balanced", but it will require some tuning if run in blocking mode.
21. Go back to the main
Snort Interfaces tab.
22. Click the green icon under the Snort column for your interface. After several seconds it will turn into a red
X icon if Snort starts up.
23. Congratulations! You have an operable Snort IDS (Intrusion Detection System). Alerts can be viewed on the
Alerts tab. After you gain experience, you can put Snort in blocking mode (IPS) by checking the "
Block Offenders" box on the
If Settings tab for the interface.
24. If Snort failed to start for you, click
Status and
System Logs from the pfSense menu to examine the system log. You should find a clue for Snort not starting in there. Probably one of the most common reasons for failing to start is a preprocessor dependency in an enabled rule. Stated another way, an enabled rule contains a
rule option or
content option that relies on a preprocessor that is currently disabled. This is why I recommend turning on pretty much all of the preprocessors back up in Step 17. That avoids these kinds of FATAL ERROR problems on Snort startup. As you gain experience and knowledge with Snort, you can selectively disable preprocessors you truly do not need. For an explanation of preprocessors and their associated rule options, have a look at the Snort Manual at
http://manual.snort.org/node17.htmlBill
pfSense Forum
