Professional Documents
Culture Documents
Quick Snort Setup Instructions For New Users - Netgate Forum
Quick Snort Setup Instructions For New Users - Netgate Forum
IDS/IPS (/category/53/ids-ips)
/ Quick Snort Setup Instructions for New Users (/topic/55095.rss)
Here are the steps for a very quick and easy initial setup of the Snort package on pfSense for new users
1. Go to the Available Packages tab under the System menu and install the snort package.
2. When the installation completes, click on Snort under the Services menu. This will open the Snort main setup
page.
3. Click the Global Settings tab and perform the following:
At the top of the page you have three choices for Rule Sets to activate. I recommend strongly that you obtain your
own Oinkcode from Snort.org (http://Snort.org) by clicking the URLs under the radio button for "Install Basic Rules
or Premium Rules". You can sign up for a free "Registered User" account, or pay $29 annually for a "Subscriber
Account". The paid account gets rule updates at least twice per week, and sometimes more. Registered User free
accounts only get rules as they age past 30 days. That means your rules are 30 days old. That's why the paid
account is preferred.
Another option is the free Emerging Threats Rule Set. This one contains quite current rules and is quick to adapt
to new threats, but it does not offer the easy pre-defined policies the Snort VRT rules do. For beginners, the
choices in the Emerging Threats rules can be a bit overwhelming. I recommend the Snort VRT rules, and this
means you need either a free or paid Oinkcode.
4. Click the radio button to "Install Basic Rules or Premium Rules".
5. Assuming you followed my advice above, paste your new Oinkcode in the text box provided. Paste just your
Oinkcode itself. Do not include URL or filename! Snort handles those using built-in values.
7. Next, go to the Updates tab and click the Update button to download your rules. Don't worry when it warns
you about no configured interfaces. We will set that next.
8. Click the Snort Interfaces tab and then click the plus "+" icon to add a Snort interface.
10. In the drop-down, choose the interface. The WAN interface is the default and is a good first choice.
11. In the Description textbox, enter a name (WAN again, is fine here).
12. Click the checkbox to "Send alerts to the main System logs".
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 1/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
13. You can leave the other settings at their defaults, but one setting you can usually safely enable is the
"Checksum Check Disable" box.
14. Click Save and you will be returned to the main Snort Interfaces tab.
15. Click the small "e" next to your interface to edit more settings.
17. Scroll down into the General Preprocessor Settings area and then check (or enable) all of the preprocessors
listed in that section EXCEPT the Sensitive Data preprocessor. It can cause a lot of alerts and is best used after you
gain some experience with Snort.
19. Now click on the Categories tab. This is where we will choose a threat detection policy and associated rules.
20. If you followed my advice for Snort VRT rules, this page is easy. Just click the check box for "Use IPS Policy"
and then select "Connectivity" in the drop-down. Click Save and you're done! Once you gain some experience
with Snort, you can come back and choose one of the other two more restrictive policies. I personally run
"Balanced", but it will require some tuning if run in blocking mode.
22. Click the red icon under the Snort column for your interface. After several seconds it will turn into a green icon
if Snort starts up.
23. Congratulations! You have an operable Snort IDS (Intrusion Detection System). Alerts can be viewed on the
Alerts tab. After you gain experience, you can put Snort in blocking mode (IPS) by checking the "Block Offenders"
box on the If Settings tab for the interface.
24. If Snort failed to start for you, click Status and System Logs from the pfSense menu to examine the system
log. You should find a clue for Snort not starting in there. Probably one of the most common reasons for failing to
start is a preprocessor dependency in an enabled rule. Stated another way, an enabled rule contains a rule option
or content option that relies on a preprocessor that is currently disabled. This is why I recommend turning on
pretty much all of the preprocessors back up in Step 17. That avoids these kinds of FATAL ERROR problems on
Snort startup. As you gain experience and knowledge with Snort, you can selectively disable preprocessors you
truly do not need. For an explanation of preprocessors and their associated rule options, have a look at the Snort
Manual at http://manual.snort.org/node17.html (http://manual.snort.org/node17.html)
Bill
1
Log in to reply (/login)
Just wanted to say thanks, I'm a first time Snort user and this really helped me get things up and running to the
point where I can start dicking around and experimenting. :D
0
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 2/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
? A Former User May 30, 2013, 5:23 AM (/post/398051)
The Missing Part to Quick Snort Setup Instructions for New Users
With that out of the way, this is the process to stop false positives.
1. Identify the rule causing them. On the alerts tab you will find all alerts (no kidding). The last columns should
show a number in the format x:YYYY:x and an explanation for the rule.
I'll use this for this example:
x:2000419:x ET POLICY PE EXE or DLL Windows file download
2. copy the YYYY part (2000419). Take a look at the explanation. ET (emerging threats) POLICY. This means
you'll find this rule in emerging-policy list.
3. go to the snort home page (services> snort). Click the e to edit interface settings, then go to rules. In the
drop down select emerging-policy. Assuming you use firefox, CTRL+F and paste the rule number (called
sig_id, signature ID) and click next. For other browsers, find a way to search the page for a term and enter
the number there.
4. click the red or yellow (depending if you previously enabled the rule) to turn it into a lighter shade of yellow
(see bottom of page).
5. top of page, click apply changes and wait for the page to reload.
6. go back to the snort home page and restart the interface (click the red x until it becomes green, wait a
couple of seconds and click it again to turn it back to red) <<< DO NOT FORGET THIS STEP
–----warning!!!-------
as of version 2.5.8 the icons are now swapped. Green is running, red is not running. So invert the colors
above
7. relax, the rule is now disabled and will stop generating alerts. Go to blocked tab, and find the ip that it
previously banned and unban it (click the button to the right of the explanation).
In that rare case you cannot find the rule causing the alert (eg explanation does not offer information about the
list), first check GPLv2 list, then IPS policy list. If you still cannot find it, a suppression entry is needed. Simply click
the add to suppression list (little +) next to the rule on the alerts tab. Assuming you have set up your suppression
list correctly, it will be added to it. Restart the interface (step 6 above), unban the ip, and you are done!
And now for my contribution to the community. The default enabled rules are too relaxed. We need to enable
more rules, but a word of caution. ONLY USE THIS LIST IF YOU HAVE ENOUGH MEMORY.
I'm currently using it on redundant CARP firewalls, with a crappy p4 cpu and 2GB of ram each. The systems average
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 3/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
about 25-30% RAM usage.The list below shows how snort is configured on a production environment and works
perfectly (for me) but it is not complete. Entries that do not have a DONE > in front of them are NOT COMPLETED.
Please review and make changes depending on your environment.
Suppression List:
#GLOBAL
gen_id 1
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 8/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
Unknown
suppress gen_id 120, sig_id 10
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
0
I had a discussion recently with another Snort user about suggested setups. The user was asking whether to run
Snort just on the WAN, or to run it on both the WAN and LAN. The post linked below describes a good Snort
configuration method for users with a single WAN interface and a LAN interface using NAT (typical for home
networks and some small businesses).
http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
(http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417)
Bill
0
T (/user/traxxus)traxxus (/user/traxxus) Jun 8, 2013, 6:09 PM (/post/399736)
@bmeeks (https://forum.netgate.com/uid/13808):
I had a discussion recently with another Snort user about suggested setups. The user was asking whether to run Snort just on
the WAN, or to run it on both the WAN and LAN. The post linked below describes a good Snort configuration method for
users with a single WAN interface and a LAN interface using NAT (typical for home networks and some small businesses).
http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417
(http://forum.pfsense.org/index.php/topic,62928.msg341417.html#msg341417)
Bill
http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION (http://services.ce3c.be/ciprg/?
countrys=RUSSIAN+FEDERATION)
0
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 10/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
dhatz (/user/dhatz) Jun 9, 2013, 1:28 AM (/post/399767)
D (/user/dhatz)
@traxxus (https://forum.netgate.com/uid/37683):
http://services.ce3c.be/ciprg/?countrys=RUSSIAN+FEDERATION (http://services.ce3c.be/ciprg/?
countrys=RUSSIAN+FEDERATION)
Is there really any benefit in completely blocking entire countries ? I mean, looking at the logs of tens of servers, I'd
say that most "bad" traffic seems to originate from hacked VPS in USA and Europe.
I typically use country CIDR ranges to explicitly white-list ranges of IPs for SSH logins on certain systems, in those
few cases where I "know" that nobody will login from abroad.
PS: Sorry for high-jacking this thread, mod(s) please feel free to move this message to a more appropriate topic.
0
First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We
could install snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is
there anyway we could set the proxy snort update and how? or how to perform snort rule update manually?
FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9
0
@vipermy (https://forum.netgate.com/uid/20968):
First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install
snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could
set the proxy snort update and how? or how to perform snort rule update manually?
FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9
Proxy support for rule updates does not currently exist, but that is an excellent idea to add to the package. I will
put that on my TODO list.
Give me a little time to investigate a temp workaround for you. Perhaps a quick patch might be doable that allows
Snort to use the pfSense proxy settings.
Bill
0
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 11/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
S (/user/supermule)Supermule (/user/supermule) Banned Jul 4, 2013, 7:53 PM (/post/404133)
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 4, 2013, 9:03 PM (/post/404150)
@Supermule (https://forum.netgate.com/uid/10037):
I would create an Alias for the IP under Firewall…Aliases. Then go to the Whitelist tab and either create new list
or choose the one being used by the interface in question. At the bottom of the edit screen for the whitelist is a
red background textbox for adding an Alias. Simply choose the Alias there you created. Start typing the name of
the Alias and a dropdown list should automatically appear of matching entries to choose from.
If there are several IPs, or may be several in the future, I would create an Alias group and put the IPs in there. Then
choose that group on the Whitelist edit page.
Bill
0
Supermule (/user/supermule)
S (/user/supermule) Banned Jul 4, 2013, 9:09 PM (/post/404153)
Yes but even if you run more than one whitelist, you can only add one for the WAN interface….
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 4, 2013, 9:38 PM (/post/404156)
@Supermule (https://forum.netgate.com/uid/10037):
Yes but even if you run more than one whitelist, you can only add one for the WAN interface….
Multiple whitelists for the same interface don't really make sense to me. It all has to be a single file for the Spoink
plugin anyway. Now what could be done is allow the addition of multiple Aliases, but the same thing can be
accomplished by using Alias groups. So it's six of one and half-dozen of the other as we say in America ;D The
idea with multiple whitelists is to have a different one for each interface if you want.
Perhaps you are not using Aliases to their full extent? They are a powerful tool that makes future upkeep of the
firewall rules and Snort easy. When an IP changes, just change it once in the Alias tab and it is instantly changed
everywhere that Alias is used. Contrast this with having individual IPs scattered all over the rules in the firewall,
Snort and other places. Lots of places to change then and lots of opportunity for typos.
I have yet to encounter a whitelist situation that can't be solved with a single Alias group. Then in that group I can
add all kinds of host IPs and/or networks. These all get translated into actual IPs when the whitelist file is built
during generation of the snort.conf file.
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 12/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
Lots of commercial firewalls use the same idea as Aliases. I work extensively with Check Point firewalls, and they
call them "objects", but they work the same way as Aliases in pfSense. In Check Point, you cannot enter an IP
address or port number anywhere in a firewall rule. Everything has to be entered as an object. You first create
objects having the IP addresses and ports you want to use, then you select those objects in your rules. It seems
extra work the first time you see it, but then you quickly start to appreciate the utility when you come along and
need to change a host IP for instance. Just change it in the object, push the firewall policy (Check Point's term for
regenerating the configuration), and the new IP address is reflected in every rule that references it. No need to
manually update the IP in say a dozen rules or something (where each time you type it you could enter it wrong).
0
S (/user/supermule)Supermule (/user/supermule) Banned Jul 4, 2013, 9:46 PM (/post/404160)
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 4, 2013, 9:54 PM (/post/404163)
@Supermule (https://forum.netgate.com/uid/10037):
You can create an Alias that has other Aliases in it. Under Firewall…Aliases. Attached are two screenshots
showing my whitelist alias group. Click the (e) to edit the alias. Then on the next screen click the (+) icon to add
more entries to the alias (in effect making it an Alias Group).
Bill
0
S (/user/supermule)Supermule (/user/supermule) Banned Jul 4, 2013, 9:58 PM (/post/404166)
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 4, 2013, 9:59 PM (/post/404167)
Here is the Whitelist entry itself. Notice the Alias down at the bottom is the one created in the previous
screenshots.
Bill
2 out of 147 0
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 13/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
S (/user/supermule)Supermule (/user/supermule) Banned Jul 4, 2013, 10:00 PM (/post/404168)
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 4, 2013, 10:05 PM (/post/404169)
@Supermule (https://forum.netgate.com/uid/10037):
You're welcome. I just used some quick and dirty names for example, but you could name things logically and
perhaps create a "WAN_whitelist_hosts" Alias and then others for different interfaces. As I said, Aliases are very
powerful tools once you get the hang of using them.
Bill
0
S (/user/supermule)Supermule (/user/supermule) Banned Jul 4, 2013, 10:13 PM (/post/404170)
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 5, 2013, 1:08 AM (/post/404195)
@vipermy (https://forum.netgate.com/uid/20968):
First of all, sorry if it's a noob question. We use pfSense as inter-department firewall within private network. We could install
snort package through pfSense proxy setting. However, we couldn't perform the snort rule update. Is there anyway we could
set the proxy snort update and how? or how to perform snort rule update manually?
FYR, we are using pfSense 2.0.3 with Snort 2.9.4.6 pkg v. 2.5.9
Sent you a PM with my e-mail address. Reply back to the address and I will send you a patched file I would like for
you to test for me. I think it will allow Snort rule updates through the pfSense system proxy.
Bill
0
M (/user/mr-jingles)Mr. Jingles (/user/mr-jingles) Jul 7, 2013, 12:06 PM (/post/404585)
0
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 14/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
Mr. Jingles (/user/mr-jingles) Jul 10, 2013, 9:55 PM (/post/405219)
M (/user/mr-jingles)
I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.
Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules'
(obviously, since they are free ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the
rulesets Snort will load at startup -> Snort GPLv2 Community Rules (VRT certified)).
But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or
is just selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log
anymore.
0
(/user/bmeeks) bmeeks (/user/bmeeks) Jul 16, 2013, 2:40 AM (/post/406050)
@Hollander:
I purchased a subscription, but I am not quite sure if I understand the GUI correctly now.
Before, the last couple of months, when I didn't have a subscription, I flagged 'install snort community rules' (obviously, since
they are free ;D) and also enabled them on both interfaces (for/ex: WAN-categories -> Select the rulesets Snort will load at
startup -> Snort GPLv2 Community Rules (VRT certified)).
But now that my oinkcode stands for a paid subscription, do I still have to select 'install snort community rules', or is just
selecting the right 'IPS-policy' sufficient? I ask, since specifically now I don't see any alerts in my Snort-log anymore.
The paid subscription Oinkcode automatically includes the "Snort Community Rules" in the downloaded rule set,
so you do not need to manually select those anymore.
Just check the Snort VRT rules (and optionally Emerging Threats if you want some of those), then choose an IPS
Policy. You will get the Community Rules this way.
Bill
0
J (/user/jdsilva)jdsilva (/user/jdsilva) Oct 4, 2013, 8:00 AM (/post/422824)
I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to
download the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-
2946.tar.gz Sept 3. It should have downloaded snortrules-snapshot-2950.tar.gz
0
(/user/bmeeks) bmeeks (/user/bmeeks) Oct 8, 2013, 8:14 PM (/post/423596)
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 15/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
@jdsilva (https://forum.netgate.com/uid/43872):
I have snort up and running. I subscribed to the VRT rules. However when I added my oinkcode, it doesn't seem to download
the latest subscriber rules. For example I ran the update today, and it downloaded snortrules-snapshot-2946.tar.gz Sept 3. It
should have downloaded snortrules-snapshot-2950.tar.gz
No, the binary version of Snort is considered when downloading rule updates. The rules are coded for the
different binary versions. Snort on pfSense is currently version 2.9.4.6, so you will download the 2.9.4.6 rules
snapshot. The rules usually update on Tuesday and Thursday over at Snort.org (http://Snort.org).
An update to the 2.9.5.5 Snort binary for the pfSense Snort package should come out late this month or early in
November. Testing it now.
Bill
0
C (/user/coolcat1975)coolcat1975 (/user/coolcat1975) Oct 16, 2013, 5:48 PM (/post/425081)
Hi!
best regards
Karl
0
(/user/bmeeks) bmeeks (/user/bmeeks) Oct 16, 2013, 8:05 PM (/post/425115)
@coolcat1975 (https://forum.netgate.com/uid/4059):
Hi!
best regards
Karl
You can't easily disable this directly because it is a preprocessor alert. I've seen some traffic about this alert on the
Snort mailing list that indicates it is a potential bug in the preprocesor code.
The best workaround for now is to create a Suppress List entry for this alert. On the ALERTS tab, click the little
plus sign (+) next to the alert's GID:SID. This will automatically add it to the Suppress List and you won't get blocks
on those IPs. You will still see the alert in the ALERTS tab, but it will not block the offending IP.
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 16/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
After adding the Suppress entry, restart Snort on the affect interface.
Bill
0
C (/user/coolcat1975)coolcat1975 (/user/coolcat1975) Oct 16, 2013, 9:33 PM (/post/425135)
hi!
i am aware about the supress function but best practice says that you should disable the rule.
anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed
greetings
karl
0
(/user/bmeeks) bmeeks (/user/bmeeks) Oct 17, 2013, 6:28 AM (/post/425209)
@coolcat1975 (https://forum.netgate.com/uid/4059):
hi!
i am aware about the supress function but best practice says that you should disable the rule.
anyway: i will test supressing as all alerts are forwarded to icinga. i hope this will also be supressed
greetings
karl
Disabling is the best, but with today's hardware capability just suppressing is fine. That's the answer you generally
get from the Snort VRT folks as well. Maybe if you are inspecting 1 Gbit/sec plus traffic loads, the distinction
between disabling and suppressing matters; but for most folks with modern hardware there is no meaning
difference.
Bill
0
C (/user/coolcat1975)coolcat1975 (/user/coolcat1975) Oct 17, 2013, 5:11 PM (/post/425279)
If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is
activated?
does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?
karl
0
@coolcat1975 (https://forum.netgate.com/uid/4059):
If snort is bound to Interface WAN and pfsense is in transparent mode, how is snort working when blocking is activated?
does snort drop the packet and blocks the ip or is the packet passed and then the ip is blocked?
regards
karl
I honestly don't know the answer to that question. I've never tested Snort on pfSense in Transparent Mode. I
suspect the traffic will still get blocked because Snort actually uses the packet filter engine and its tables to insert
blocks. In that sense it operates just like the firewall module itself.
Where Snort might get tripped up in Transparent Mode is with the defintion of $HOME_NET and $EXTERNAL_NET
variables.
Bill
0
Hi,
Before I found it I just went through all the options and configured as I thought it makes sense to my limited
knowledge and I did one thing differently.
I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed
on enable all rules in the current category as they were all greyed out before that and seemed inactive - is this
necessary step and what it actually means if I leave all of them greyed out and what it means if I enable them.
Also in point
20. If you followed my advice for Snort VRT rules, this page is easy. Just click the check box for "Use IPS Policy" and
then select "Connectivity" in the drop-down. Click Save and you're done! Once you gain some experience with Snort,
you can come back and choose one of the other two more restrictive policies. I personally run "Balanced", but it will
require some tuning if run in blocking mode.
If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the
"Use IPS Policy" box unticked?
If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes
what is the correct syntax? Can it be IP or is it a FQN
seb
0
(/user/bmeeks) bmeeks (/user/bmeeks) Oct 18, 2013, 7:17 AM (/post/425409)
@sebna (https://forum.netgate.com/uid/40097):
I went to my defined WAN interface in snort -> Wan Rules -> selected from drop down GPLv2 rules and pressed on enable
all rules in the current category as they were all greyed out before that and seemed inactive - is this necessary step and what
it actually means if I leave all of them greyed out and what it means if I enable them.
Also in point
20. If you followed my advice for Snort VRT rules, this page is easy. Just click the check box for "Use IPS Policy" and then select
"Connectivity" in the drop-down. Click Save and you're done! Once you gain some experience with Snort, you can come back
and choose one of the other two more restrictive policies. I personally run "Balanced", but it will require some tuning if run in
blocking mode.
If I only registered an account (without a paid subscription) to get access to GPL rules should I tick or leave the "Use IPS
Policy" box unticked?
If I have mail server, DNS, DHCP and SQL server on my LAN should I define the names in WAN Variables and if yes what is the
correct syntax? Can it be IP or is it a FQN
seb
If you registered at Snort.org (http://Snort.org) for the free account, that entitles you to the full Snort VRT rules
download. The only caveat is they are 30 days older than the rules the paid subscribers get. As for the GPLv2
Community Rules, generally only a few of them will be enabled by default. You can turn on the ones of interest to
you. If you don't want the headache of figuring out which Community Rules you want or need, then an easier
approach in my view is to enable and use the Emerging Threats rules instead. They stay pretty current and are
arranged in categories that give clues as to what the rules are doing.
You can use the IPS Policy with the Snort VRT rules whether you have a paid or free account. The only difference in
paid versus free is the age of the rules. As I mentioned, the paid subscribers get current updates. The free account
registered users get the new rules 30 days after the paid users. It's a 30-day rolling sort of thing. But the same IPS
policies are available in both sets of rules.
If you have Mail, DNS and other specific servers on your network, you can certainly define their IP addresses for
Snort. This makes Snort's job a bit easier. By default, it assumes all the IP addresses in your network are all of the
potential servers. So this means it sort of inspects all traffic for all IPs for everything. You can narrow this down by
defining where some services are located (that is, which IP addresses host those services on your HOME_NET
networks). Armed with that information, Snort won't waste time looking for HTTP web exploits against a DNS or
DHCP server. It does this by matching the IP address in the target to the values you define in the variables.
To define servers or ports on the VARIABLES tab, you must first create a corresponding Alias under Firewall…Alias
from the pfSense menu. Type a descriptive name for the Alias, such as DNS_Servers, and then enter the IP
addresses of all of your DNS servers. Repeat the process to create Aliases for any other servers. Now go to the
VARIABLES tab in Snort and scroll down to the server description. Start typing the name of the Alias you defined
earlier. It should auto-complete in the Alias form field. Click SAVE when done.
2 out of 147 0
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 19/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
S (/user/sebna)sebna (/user/sebna) Oct 18, 2013, 11:13 PM (/post/425583)
It was late and I was tried yesterday :) I found the cause of the problem and basically I just need a restart for my
OINK to work and to be able to download the definitions…
Thank you for clarifying other things and advice. Much appreciated as the whole guide :)
Seb
0
C (/user/coolcat1975)coolcat1975 (/user/coolcat1975) Oct 19, 2013, 2:54 AM (/post/425626)
hi!
regards
Karl
0
(/user/bmeeks) bmeeks (/user/bmeeks) Oct 19, 2013, 5:39 AM (/post/425645)
@coolcat1975 (https://forum.netgate.com/uid/4059):
hi!
regards
Karl
Snort is kinda-sorta "inline" on pfSense. It can insert blocks into the firewall. It is not 100% technically inline like it
would be in a classic pure IPS.
Bill
0
S (/user/sebna)sebna (/user/sebna) Oct 20, 2013, 8:09 AM (/post/425752)
My SNORT will produce a lot alerts but only few blocks (ATM it runs only on WAN interface). Before adding
pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.
I dont have any custom whitelist and my Suppress contains only of google ip(s).
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 20/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
Any ideas?
Thanks
0
(/user/bmeeks) bmeeks (/user/bmeeks) Oct 20, 2013, 7:53 PM (/post/425795)
@sebna (https://forum.netgate.com/uid/40097):
… Before adding pfblocker and running Snort in "Use IPS Policy" (I run it in security mode) it was blocking a lot more.
I dont have any custom whitelist and my Suppress contains only of google ip(s).
Any ideas?
Thanks
It could be that pfBlocker is preempting Snort and putting blocks in place. I don't think the blocks of a particular IP
address will be duplicated.
Also, you did not post the version of pfSense you are running. If it is 2.1, then a problem with the filter_reload()
function within that version of pfSense periodically clears the Snort block table. So Snort is possibly blocking the
IP, then the pfSense filter_reload() function comes along and clears the table. When you look at the BLOCKED tab
in Snort, it is actually reading the current entries from the snort2c block table that pfSense maintains. The table
may have been recently cleansed by the filter_reload() routine.
However, even considering the above, protection afforded by Snort is still there. On the next offending packet
from one of those formerly blocked IP addresses, Snort will insert a fresh block.
Bill
0
G (/user/godlyatheist)godlyatheist (/user/godlyatheist) Nov 22, 2013, 11:14 PM (/post/431064)
Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green
arrow in the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is
stopped, am I confused? Also, why does my Block column say DISABLED when though Snort is enabled?
0
? A Former User Nov 23, 2013, 12:08 AM (/post/431072)
@godlyatheist (https://forum.netgate.com/uid/45063):
Thank you OP for the guide. I have some basic questions about setting up Snort. In the guide it said click the green arrow in
the Snort column on the Interface tab so it turns red. But the tooltip says green is enabled and red is stopped, am I confused?
Also, why does my Block column say DISABLED when though Snort is enabled?
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 21/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
The arrow color was recently changed to be more in "sync" with the rest of the interface. It used to be press the
green to start, press the red to stop. The problem was that it showed a red arrow on the status tab while snort was
running, which was different with all the rest of the interface (green means OK).
The reason it says that, is that we cannot change old posts on this forum.
To clarrify myself:
Green means snort IS running, you click it to STOP it.
Red means snort is NOT running, you click it to START it.
0
Log in to reply (/login)
Products
Platform Overview (https://www.netgate.com/products/platform.html)
TNSR (https://www.netgate.com/products/tnsr/)
pfSense (https://www.netgate.com/solutions/pfsense/)
Appliances (https://www.netgate.com/products/appliances/)
Applications
AWS Transit VPC (https://www.netgate.com/applications/aws-transit-vpc.html)
High-Performance Cloud Mirror Port (https://www.netgate.com/applications/high-performance-cloud-
mirror-port.html)
High-Performance vRouter (https://www.netgate.com/applications/high-performance-vrouter.html)
High Performance Cloud Firewall (https://www.netgate.com/applications/high-performance-cloud-
firewall.html)
Support
Subscription Plans (https://www.netgate.com/support/)
Contact Support (https://www.netgate.com/support/contact-support.html)
Product Lifecycle (https://www.netgate.com/support/product-lifecycle.html)
Documentation (https://www.netgate.com/docs/)
Services
Training (https://www.netgate.com/training/)
Professional Services (https://www.netgate.com/our-services/professional-services.html)
News
Media Coverage (https://www.netgate.com/company/media.html)
Press (https://www.netgate.com/company/press.html)
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 22/23
5/22/2019 Quick Snort Setup Instructions for New Users | Netgate Forum
Events (https://www.netgate.com/company/events.html)
Resources
Blog (https://www.netgate.com/blog/)
FAQ (https://www.netgate.com/support/frequently-asked-questions.html)
Find a Partner (https://www.netgate.com/partners/locator.html)
Resource Library (https://www.netgate.com/resources/)
Company
About Us (https://www.netgate.com/company/about-us.html)
Careers (https://www.netgate.com/company/careers.html)
Partners (https://www.netgate.com/partners/)
Contact Us (https://www.netgate.com/company/contact-us.html)
Legal (https://www.netgate.com/company/legal.html)
(https://www.twitter.com/NetgateUSA)
(https://www.youtube.com/c/netgateofficial)
(https://www.reddit.com/r/netgate)
(https://www.linkedin.com/company/netgate)
(https://www.netgate.com/blog/)
Our Mission
As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity
that maintains both security and privacy. We also believe everyone should be able to afford it.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive
(https://www.netgate.com/resources/newsletters/) for past announcements.
Email*
Email Address
I understand I am signing up to receive the newsletter, software announcements, and special offers from
Netgate.*
Subscribe
© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy
(https://www.netgate.com/company/privacy-policy)
2 out of 147
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/2 23/23