The pfSense Store

Author Topic: Quick Snort Setup Instructions for New Users  (Read 166215 times)

0 Members and 1 Guest are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #15 on: July 04, 2013, 11:59:18 am »
Here is the Whitelist entry itself.  Notice the Alias down at the bottom is the one created in the previous screenshots.

Bill

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #16 on: July 04, 2013, 12:00:35 pm »
I understand! Thx mate. Really appreciated!
Kind regards Brian


Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #17 on: July 04, 2013, 12:05:49 pm »
I understand! Thx mate. Really appreciated!

You're welcome. I just used some quick and dirty names for example, but you could name things logically and perhaps create a "WAN_whitelist_hosts" Alias and then others for different interfaces.  As I said, Aliases are very powerful tools once you get the hang of using them.

Bill

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #18 on: July 04, 2013, 12:13:22 pm »
I have named it Snort Friendly IP :D
Kind regards Brian


Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #19 on: July 04, 2013, 03:08:42 pm »
First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?

FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9 

Thank you in advance.

Sent you a PM with my e-mail address.  Reply back to the address and I will send you a patched file I would like for you to test for me.  I think it will allow Snort rule updates through the pfSense system proxy.

Bill

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
    • The FreeBSD Foundation
Re: Quick Snort Setup Instructions for New Users
« Reply #20 on: July 07, 2013, 02:06:46 am »
Thank you both for the explanations, I learned something valuable  ;D

Offline Mr. Jingles

  • Hero Member
  • *****
  • Posts: 1136
  • Karma: +92/-724
    • View Profile
    • The FreeBSD Foundation
Re: Quick Snort Setup Instructions for New Users
« Reply #21 on: July 10, 2013, 11:55:43 am »
Could I ask a question about the oinkcode?

I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

Thank you for your answer  ;D
 

   
 

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #22 on: July 15, 2013, 04:40:03 pm »
Could I ask a question about the oinkcode?

I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.

Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since they are free  ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).

But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.

Thank you for your answer  ;D
 

The paid subscription Oinkcode automatically includes the "Snort Community Rules" in the downloaded rule set, so you do not need to manually select those anymore.

Just check the Snort VRT rules (and optionally Emerging Threats if you want some of those), then choose an IPS Policy.  You will get the Community Rules this way.

Bill

Offline jdsilva

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #23 on: October 03, 2013, 10:00:58 pm »
I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #24 on: October 08, 2013, 10:14:02 am »
I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz

No, the binary version of Snort is considered when downloading rule updates.  The rules are coded for the different binary versions.  Snort on pfSense is currently version 2.9.4.6, so you will download the 2.9.4.6 rules snapshot.  The rules usually update on Tuesday and Thursday over at Snort.org.

An update to the 2.9.5.5 Snort binary for the pfSense Snort package should come out late this month or early in November.  Testing it now.

Bill

Offline coolcat1975

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #25 on: October 16, 2013, 07:48:45 am »
Hi!

I am using policy connectivity.
I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

How can i disable this policy when using policy?

best regards

Karl

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #26 on: October 16, 2013, 10:05:19 am »
Hi!

I am using policy connectivity.
I am getting false positives for ssp_ssl: Invalid Client HELLO after Server HELLO Detected.

How can i disable this policy when using policy?

best regards

Karl

You can't easily disable this directly because it is a preprocessor alert.  I've seen some traffic about this alert on the Snort mailing list that indicates it is a potential bug in the preprocesor code.

The best workaround for now is to create a Suppress List entry for this alert.  On the ALERTS tab, click the little plus sign (+) next to the alert's GID:SID.  This will automatically add it to the Suppress List and you won't get blocks on those IPs.  You will still see the alert in the ALERTS tab, but it will not block the offending IP.

After adding the Suppress entry, restart Snort on the affect interface.

Bill

Offline coolcat1975

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #27 on: October 16, 2013, 11:33:57 am »
hi!

thanks for your answer.

i am aware about the supress function but best practice says that you should disable the rule.

anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

greetings

karl

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3170
  • Karma: +820/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #28 on: October 16, 2013, 08:28:28 pm »
hi!

thanks for your answer.

i am aware about the supress function but best practice says that you should disable the rule.

anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed

greetings

karl

Disabling is the best, but with today's hardware capability just suppressing is fine.  That's the answer you generally get from the Snort VRT folks as well.  Maybe if you are inspecting 1 Gbit/sec plus traffic loads, the distinction between disabling and suppressing matters; but for most folks with modern hardware there is no meaning difference.

Bill

Offline coolcat1975

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Quick Snort Setup Instructions for New Users
« Reply #29 on: October 17, 2013, 07:11:37 am »
Just another question:

If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?

does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?

regards

karl