Click here to load reader

Extending pfSense with SNORT for Intrusion detection ...users.ox.ac.uk/...pfSense-with-SNORT-for-Intrusion- pfSense with SNORT for Intrusion detection & prevention. The SNORT package,

  • View
    252

  • Download
    4

Embed Size (px)

Text of Extending pfSense with SNORT for Intrusion detection...

  • Extending pfSense with SNORT for Intrusion detection & prevention.

    The SNORT package, available in pfSense, provides a much needed Intrusion detection and/or

    prevention system alongside the existing PF stateful firewall within pfsense.

    These directions show how to get SNORT running with pfSense and some of the common problems

    which may be encountered.

    Contents Extending pfSense with SNORT for Intrusion detection & prevention. .................................................. 1

    Quick overview of SNORT on pfSense. .................................................................................................. 2

    Introduction ........................................................................................................................................ 2

    Rules & subscriptions .......................................................................................................................... 2

    Rulesets and detection ....................................................................................................................... 2

    White lists & suppression rules. .......................................................................................................... 3

    White lists ....................................................................................................................................... 3

    Suppression rules. ........................................................................................................................... 3

    Installing SNORT ..................................................................................................................................... 4

    Initial Configuration of SNORT ............................................................................................................... 5

    General configuration ........................................................................................................................ 5

    Assigning an interfaces to SNORT instances ..................................................................................... 6

    Selecting the SNORT rules you need and testing them. ....................................................................... 9

    Common Rulesets ......................................................................................................................... 10

    Whitelist definition .............................................................................................................................. 11

    Alerts, suppression rules & lists ........................................................................................................... 12

    Alert alert alert! ................................................................................................................................ 12

    Unblocking a host ............................................................................................................................. 13

    Preventing it happening again (suppression or disabling a rule) ...................................................... 14

    Disabling rules ............................................................................................................................... 14

    Suppressing rules .......................................................................................................................... 16

  • Quick overview of SNORT on pfSense.

    Introduction SNORT is installed as a pfSense package.

    Once installed you can configure one of more instances of SNORT to run within pfSense.

    Each SNORT instance runs with individual settings and against a particular virtual interface.

    Rules & subscriptions SNORT has its own syntax to write rules to inspect network traffic, to detect undesirable stuff.

    Fortunately you can subscribe to SNORT rule sources so you dont need to write your own.

    Within pfSense there are several sources of rules you can subscribe to within the SNORT global

    settings:

    Source name Free/commercial Notes

    Snort VRT Free account (requires sign up for code), with commercial version available.

    Commercial version provides more up to date rulesets.

    Snort Community Free

    Emerging Threats ET Open

    Free Now included in SNORT community rules

    Emerging Threats ET Pro

    Commercial only. Provides best coverage and daily updates.

    OpenAppID Free For application identification only, not threat detection. Support for Open App ID is not complete in pfSense/SNORT.

    Once SNORT rule sources have been subscribed to, you are given the option to select rulesets

    (groups of rules according to a category) for your instance of SNORT.

    Rulesets and detection Rulesets will determine the type of traffic SNORT looks for (or doesnt).

    There are several different types of traffic SNORT will look for:

    Exploits for specific services (HTTP (Apache/IIS/etc), FTP, IMAP, SNMP, etc)

    User traffic Web browsers (Chrome, Firefox)

    Malware Viruses, worms, PUAs.

    Attacks DDOS, exploit-kits, bad traffic

    Block lists known compromised hosts & black listed IPs.

  • White lists & suppression rules.

    Its important to setup white lists and rule suppression lists to avoid generating unnecessary false

    positives.

    White lists

    Simply a list of hosts SNORT will completely ignore.

    Very useful for Oracle or HFS traffic, which often triggers SNORT and is fairly critical and fairly

    trustworthy (being internal to the university).

    Suppression rules.

    More flexible than a white list, these can be used to get SNORT not to block certain traffic.

    The rules are written to a suppression list, which you can edit and put comments in although the

    pfSense interface will do this for you.

    SNORT will still show alerts, but not block the traffic when it matches a suppression rule.

    Can be handy for certain hosts or instances where we dont want to ignore all traffic, eg a

    webserver, which needs access from a particular port for a certain IP, which SNORT deems bad.

  • Installing SNORT

    Snort is easy to install.

    Click on the packages tab under system system packages.

    The package management system takes care of the dependencies and soon you will see an

    installation done message.

  • Initial Configuration of SNORT Once you have done the easy bit of installing SNORT, youll need to configure it before it will do

    anything at all.

    General configuration Youll find SNORT configuration and management under the Services menu.

    From here youll see the SNORT configuration dashboard, with any interfaces configured with an

    instance of SNORT:

    (In the above example we have only our WAN interface configured).

  • Assigning an interfaces to SNORT instances

    Youll want to choose which interfaces you want to assign for traffic analysis by SNORT (aka setup a

    SNORT instance for that interface).

    Note each instance of SNORT takes RAM and CPU. As you add more rules to an instance of SNORT, it

    will add an extra load on RAM and CPU.

    Each interface will (and should) be setup differently this is important, as LAN and WAN traffic will

    require different types of analysis and thus different configurations in SNORT.

    You will almost certainly want to test SNORT rulsets before using them to block traffic.

    Here is an example of how you could setup SNORT instances on a simple bridging firewall:

    NB. In some configurations the LAN interface might also merit SNORT analysis, such as guest WiFi,

    public access networks, to check machines arent passing out bad traffic.

    IPS = Intrusion prevention system. In this case where our SNORT system is configured to block bad

    traffic.

    IDS = Intrusion detection system. Only detects bad traffic and doesnt block anything.

    Click on the + symbol to add an interface mapping to SNORT:

    Here we are adding/editing the WAN interface:

    WAN

    SNORT instance in IPS mode for blocking bad traffic/hosts.

    Bridge

    SNORT instance in IDS mode for testing rulesets.

    LAN

  • Running through the options on the Settings tab:

    General section

    Enable Exactly that, to enable or disable this configuration of SNORT on this interface.

    Interface The network interface SNORT will listen and optional act on.

    Description A friendly name that you can use for the interface, i.e. to determine it from another.

  • Alerts

    Send Alerts to System Logs alerts (such as network intrusion attempts, SNORT service restarts) will

    be sent to the syslog service. These will be prefaced with snort. You may want to enable this for an

    IPS (blocking) instance of SNORT to track IPs blocked (But disable this for IDS instances of SNORT to

    save masses of alerts in your syslogs).

    System Log Facility Change the syslog type SNORT messages are logged as in syslog.

    System Log Priority Just that, all SNORT logs will be at this syslog priority.

    Block offenders Changes SNORT from an IDS (intrusion detection system) to an IPS (intrusion

    prevention system).

    Kill states For blocked IPs any existing states in the firewall will be blocked (usually a good idea to

    turn on for an IPS instance (see above).

    Which IP to Block (src/dst/both) Leaving this set to both is fine (see whitelisting later on)

    Performance settings

    Search method This determines how well SNORT will perform on your hardware (ma

Search related