Netgate m1n1wall

Author Topic: Quick Snort Setup Instructions for New Users  (Read 32406 times)

0 Members and 2 Guests are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 1095
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #60 on: March 28, 2014, 11:00:56 pm »
I read somewhere that AC-BNFA-NQ should provide better performance than AC-BNFA and it also appears to be the default in Snort now, as mentioned here: http://manual.snort.org/node16.html

Currently I have Snort running on a single interface as AC-BNFA-NQ with:

- Snort VRT free Registered User
- Snort Community Ruleset
- ETOpen

with 90% of all rules enabled, on a box with 2GB of RAM and the RAM usage never goes above 35% (it is also running pfBlocker, OpenVPN client + server, Squid + LightSquid, HAVP)...

Are you saying AC-BNFA would be better even?

No, it is no better in terms of memory consumption.  The NQ means "not queued" if I am recalling correctly, and has some relation to overall performance.  The NQ settings are popular now.

Bill

Offline l3lu3

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #61 on: April 05, 2014, 12:32:32 pm »
Is there any way to log the packets that trigger a snort alert? Mainly I want to see HTTP header and request associated with the alert.

The new 2.9.6.0 version of Snort offers increased packet/file capture abilities according to the post on the Snort.org web site.  I am working now on readying that version for the next Snort package update.  I will investigate what is offered in the new binary and see what I can reasonably incorporate into the GUI.

I had a similar request from some folks in the new Suricata BETA package thread where the wish was a clickable link from the alert on the ALERTS tab to a view of the packets that triggered the alert.  I am mulling over in my head the best way to accomplish that without bogging down the firewall CPU searching through hundreds of megabytes of packet capture files.  In general its better to offload such tasks to an external system.

Bill

I really hope you'll be able to incorporate full packet capture offloaded to an external system. That would be ideal. I see your reservations and challenges about doing it all on the fw box. Although I believe any of us wanting to do full packet capture are already using barnyard2 sending to an external system. Thanks for all your hard work - I really appreciate it, as I'm sure others do as well :)

Offline SpitefulMonkey

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #62 on: April 08, 2014, 10:23:34 am »
I am having an issue trying to install snort on my new box. The PBI seems to be missing. Here is what I am seeing...

Beginning package installation for snort .
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
 Downloading https://files.pfsense.org/packages/amd64/8/All/snort-2.9.6.0-amd64.pbi ...  could not download from there or http://files.pfsense.org/packages/amd64/8/All//snort-2.9.6.0-amd64.pbi.
of snort-2.9.6.0-amd64 failed!

I peeked in https://files.pfsense.org/packages/amd64/8/All/ and didn't see the package, just older installs. Was there a reason 2.9.6.0 was pulled?


Offline doktornotor

  • Hero Member
  • *****
  • Posts: 1555
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #63 on: April 08, 2014, 10:24:25 am »
I am having an issue trying to install snort on my new box.

And you are having issues with the search box on the forum as well?

Offline SpitefulMonkey

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #64 on: April 08, 2014, 01:19:41 pm »
I am having an issue trying to install snort on my new box.

And you are having issues with the search box on the forum as well?

Search was used many times and all I came across was that it is available on the servers via IPv6 and not IPv4. If you knew a quick fix, you could have posted it thus having a thread to show in search when others like myself run in to this. It's my understanding that is how the search feature works...

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 1555
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #65 on: April 08, 2014, 02:02:13 pm »
Sigh, how about you stop flooding this thread with completely off-topic junk.

Offline SpitefulMonkey

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #66 on: April 08, 2014, 04:50:37 pm »
Someone found a workaround for it in this thread at the end. https://forum.pfsense.org/index.php?topic=74486.15





Offline Amuzed2pieces

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #67 on: April 15, 2014, 01:10:06 pm »
Noob issue with creating Alias/Whitelist.... 

I am having an issue creating a Passlist (whitelist).  I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e)  with a set of check boxes, and an Alias box at the bottom.

To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box:  But I get an error message when adding a file name, whether it as created in the "Ip List" or not:  The following input errors were detected:        A valid alias must be provided


I follow the Alias button, and there is no (+) Add button.  I tried different syntax in the file name, adding a "IP List" but have not been able to create or add.  I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.

What simple idiot step am I missing?  Thanks.

Offline Hollander

  • Sr. Member
  • ****
  • Posts: 357
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #68 on: April 15, 2014, 01:14:33 pm »
Noob issue with creating Alias/Whitelist.... 

I am having an issue creating a Passlist (whitelist).  I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e)  with a set of check boxes, and an Alias box at the bottom.

To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box:  But I get an error message when adding a file name, whether it as created in the "Ip List" or not:  The following input errors were detected:        A valid alias must be provided


I follow the Alias button, and there is no (+) Add button.  I tried different syntax in the file name, adding a "IP List" but have not been able to create or add.  I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.

What simple idiot step am I missing?  Thanks.

Firewall/aliasses. Create one first.

It is good to see more noobs on this board; for over a year I've been feeling so lonely  ;D
Hardware1:Intel DQ77KB/Celeron G1610/8GB Corsair/WDC Hardware2:Dell R200/8GB/Xeon L3360/WDC switches:HP V1910-16G&48G WiFi:Ubiquity Pfsense:2.1.2 X64/Snort Performance:CPU 10%/RAM 70% Broadband:VDSL 30/2 & Cable 30/2 OS:W7/W8/PC-BSD/Linux Mint Other:setup, incl. donations is 3x more expensive than retail junk, but 100x better :D

Offline Amuzed2pieces

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Select the rulesets Snort will load at startup
« Reply #69 on: April 15, 2014, 01:15:27 pm »
RE Selecting Rule Sets:

Under "WAN Categories", I have the IPS Ruleset:Connectivity and Flowbits boxes checked. 

Do I just ignore the "Rulesets Snort will load at Startup"  below this?  So is this an ALTERNATIVE or ADDITION, or do I have to check the Rulesets to use UNDER the IPS Ruleset: Connectivity?

Thanks for the noob clarification.




Offline Amuzed2pieces

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #70 on: April 15, 2014, 01:55:20 pm »

Firewall/aliasses. Create one first.

It is good to see more noobs on this board; for over a year I've been feeling so lonely  ;D

I will probably make your week. 


Offline bmeeks

  • Hero Member
  • *****
  • Posts: 1095
    • View Profile
Re: Select the rulesets Snort will load at startup
« Reply #71 on: April 15, 2014, 05:10:35 pm »
RE Selecting Rule Sets:

Under "WAN Categories", I have the IPS Ruleset:Connectivity and Flowbits boxes checked. 

Do I just ignore the "Rulesets Snort will load at Startup"  below this?  So is this an ALTERNATIVE or ADDITION, or do I have to check the Rulesets to use UNDER the IPS Ruleset: Connectivity?

Thanks for the noob clarification.

When you select an IPS Policy, that will load a preset collection of Snort VRT rules.  The VRT rule authors decide which particular rules are associated with a given IPS Policy.  But this only applies to Snort VRT rules.  Emerging Threats is a completely separate and unrelated set of rules.  So when you use an IPS Policy, individual selections for Snort VRT rule categories are disabled, but you are free to select ET rules categories (if you have Emerging Threats rules enabled for download under GLOBAL SETTINGS) that will be added to your automatic Snort VRT collection coming from the chosen policy.  So when using a policy, the checkboxes further down below are optional and will add more rules to those that are part of the policy.

Bill
« Last Edit: April 15, 2014, 05:12:07 pm by bmeeks »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 1095
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #72 on: April 15, 2014, 05:17:36 pm »
Noob issue with creating Alias/Whitelist.... 

I am having an issue creating a Passlist (whitelist).  I click on the "Pass List Tab" and lists "passlist_36480", then Edit (e)  with a set of check boxes, and an Alias box at the bottom.

To add my own to the White/Passlist, I am guessing I add a file name to the Alias Box:  But I get an error message when adding a file name, whether it as created in the "Ip List" or not:  The following input errors were detected:        A valid alias must be provided


I follow the Alias button, and there is no (+) Add button.  I tried different syntax in the file name, adding a "IP List" but have not been able to create or add.  I saw the pictures listed before in this thread about Editing a Alias, but not about creating one.

What simple idiot step am I missing?  Thanks.

Aliases are used throughout pfSense and are really cool.  They allow you to use a "name" for one or more IP addresses (hosts, networks, etc.).  Anywhere you use the "name", then at runtime pfSense will go grab the underlying associated IP addresses and use them in the firewall rules.  This way, if later on you need to edit an IP address or add or delete one, you just edit the Alias.  Then the change is instantly applied to all the firewall rules (or in the case of PASS LISTS in Snort), the Snort pass list.  That keeps you from having to manually search out all the places where that IP was used and then hand editing it in every instance.

You create Aliases under Firewall...Aliases as another user posted.  Once created, you can then access the list of Aliases from several places in Snort where Aliases are allowed by clicking the VIEW button beside the fields.  Anytime you see a textbox entry field with a red background, that means it will only accept an already-created Alias name as a valid parameter.