Category Archives: Firewalls

Firewalls, Pfsense, Snort

Setting up Snort on Pfsense

Leave a comment
If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.
In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old IDPS systems around.
In order to do so you will have to go to Packages from System/Packages and install it
clip_image001[5]
After clicking on the packages button, you will get a list of packages and among them snort will be listed there
clip_image002[4]
Click on the + on the far right to start the installation process.
clip_image003[4]
I’ll Click on Confirm to continue
clip_image004[4]
After it’s been installed now you’ll be able to see it on the Services menu tab.
clip_image005[4]
Click on Snort and let’s go configure it.
clip_image006[4]
Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall’s rules.
The websites are as following and you can find their settings under the Global settings tab in snort window
https://www.snort.org/users/sign_up
https://portal.emergingthreats.net/register
clip_image007[4]
I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I’ll need to activate my account.
clip_image008[4]
clip_image009[4]
I have receieved the confirmation now and I’ll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.
clip_image010[4]
When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense.
clip_image011[4]
Just like this
clip_image012[4]
So after I added the code this is how my Global Settings tab looks like (I enabled all the other free rules as well)
clip_image013[4]
clip_image014[4]
Now I will go to Updates tab and start updating rules tab. After clicking update this is how it will look like:
clip_image015[4]
When finished this is how it’ll look like
clip_image016[4]
Once Finished this is how the updates tab will look like
clip_image017[4]
If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you’re planning to enable the LAN Interface or Public IP if you’re planning to include WAN Interface).
clip_image018[4]
In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.
In order to create an Alias List, click on Firewall Tab and scroll to Alias
clip_image019[4]
Once in IP list page click on the + button far right to add the Ips that you would like to pass.
clip_image020[4]
From type select the type of hosts that you’d like to include there, for me I’d like to include only a couple of Ips
clip_image021[4]
Click Save and Apply then Close then go back to Snort’s Pass Lists and click on + to add new Pass list.
Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save.
clip_image022[4]
Once saved, this is how the pass lists is going to look like
clip_image023[4]
Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I’ll click on Snort Interfaces tab and click + to add the new interface
clip_image024[4]
Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .
clip_image025[4]
clip_image026[4]
Here from Pass List I will select the list which I’ve created in the Pass List tab
clip_image027[4]
As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.
clip_image028[4]
After enabling the WAN interface you will have to go define some rules and enable them.
clip_image029[4]
Let’s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.
We should go to WAN Categories and select different category in order to apply rules.
clip_image030[4]
Note:
Enabling all rules might affect your VM or PM’s processor performance.
Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community.
clip_image031[4]
Once added, you will have to apply changes and then click on Apply …. And for any reason the service did not start as in the below snapshot then you should navigate to Status tab and check the “System Logs”
clip_image032[4]
In System logs I noticed the following error:
clip_image033[4]
After doing a lot of digging on this error it seems that it’s caused by the rule “Sensitive Data” and after disabling all the rule set in this rule I was able to start Snort on WAN again.
clip_image034[4]
When this is done, I will test snort if it’s working by simply try to hack into pfsense’s portal by using wrong passwords for let’s say 10/20 times and see if my IP will get blocked (I’ll use a different Public IP which is not in the pass lists)..
After trying about 7 attempts with wrong username and password I tried refreshing the page
clip_image035[4]
Here is what I got
clip_image036[4]
I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was
clip_image037[4]
As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)
So that means that our snort works as it’s supposedly expected to.
clip_image038[4]

If this has helped you, please leave a comment Winking smile

del.icio.us Tags: ,

Firewalls, Pfsense, Squid

Setup Squid Guard (Proxy Server) on Pfsense

Leave a comment
In order to setup Squid Guard you should have two packages installed on your Pfsense for it to work properly.
First package should be Squid 3 (In case you’re publishing Exchange web services with it) or Squid if not.
Second Package would be Squid Guard-Squid3 for for Squid 3 or Squid-Guard for Squid.
In my case I am using Squid 3 because I use its reverse proxy to publish Exchange web services so I will install SquidGaurd-Squid 3 to configure its proxy server.
I already downloaded and installed it but If you didn’t do so then you will have to navigate to >System > Packages >Available Packages and there you can find it and install it.
clip_image001
From the Services Menu drop down you will find those 3 below (Proxy Filter, Proxy Server and Reverse Proxy)
clip_image002
First I will go to Proxy Server and Enable “Transparent Http Proxy” in the General tab page
clip_image003
If you scroll down you will find “Logging Settings” and other options that you don’t need to enable. Logging is required mostly for troubleshooting times.
Next I will go to “Local Cache” tab and change the Squid Hard Disk cache Settings in order to take more than 100 mb. I will make it 5000mb which is 5 GB to make internet browser faster for users who visit the same websites often.
After that you don’t need to do anything except saving changes in the end of the page below
clip_image004
Now I will go to “ACLs” page and enable the Local networks that I have, I will write them in the “Allowed subnets” section and save the page.
clip_image005
Now I am finished with the Proxy Server settings, I will go to Proxy Filter and I will scroll down to the end of the page to Enable Blacklist option and paste the link below then click Save to save the changes
http://www.shallalist.de/Downloads/shallalist.tar.gz
clip_image006
Now I will go to Blacklist tab to download the black list from there then I will copy the link below and press on Download
http://www.shallalist.de/Downloads/shallalist.tar.gz
clip_image007
When I finish downloading I will go to “Common ACL” tab page and configure the Rules there which we have downloaded. As you can see below I have everything already configured but in order for you to configure it you will have to press on the > Green Start button first of all
clip_image008
After you press on the Green button It will show you the rules that you want to configure. I have already configured (Alcohol, Deny, Gambling, Hacking, Social net)…
clip_image009
clip_image010
Then next I will configure the Redirect mode and type my own customized message that will appear to the clients behind Pfsense and use safeSearch.
clip_image011
When done I will save this page and go to the General tab page and will click on Apply all changes and save the page.
clip_image012
Note:
you should see that SafeGuard service state “Started” in order for it to work. If for any reason the service is not started try to navigate to >Status > System logs and check your logs here if there’s anything related to SafeGaurd or Squid.
clip_image013
Now I will go to the Client and check if my client with “Pfsense as their default gateway” will respond to the Safe Guard rules or not.
I tried opening Facebook or Twitter but both are not working and they gave me the same message which I have customized in Pfsense.
clip_image014
Over all this had been easy setup and everything works perfectly
Hope this would be useful to you all. Open-mouthed smile

del.icio.us Tags: ,,,
Firewalls, Pfsense, Security, Snort

What is Suppressing in Snort? And how to use it (Basic Tutorial)

Leave a comment
Suppression allows an administrator to control how many alerts are generated from (or to) a given host or for a particular signature. 
What does it do exactly?
Suppression prevents rules from firing on a specific network segment without removing the rules from the ruleset. By using suppression, ruleset can be quickly turned for a specific environment without disabling rules that maybe useful in general.
How it works?
Assuming that you want to download an executable file/content from any website. If you have ticked all the rules in snort for your wan connection, Snort will alert this and block it in case you have the block option enabled as well. You will get something similar to this alert in the alert tab.
clip_image001
And in Block tab, You will get something like this :
clip_image002
This is a website that I visited “cyberduck.ch” to download a FTP application but snort alerted and blocked the download host IP which is “c315635.r35.cf1.rackcdn.com”
Now By adding a suppression line to snort suppression tab, the rule sid:16313 which happens to be a “download of executable content with x head”, will not fire again in the alerts tab after I add the following line to the suppression list.
clip_image003
The first line with the hash in the beginning is just a title for the rule to remind you later what it exactly does.
The gen_id 1 and sig_id will usually appear in the alert tab so in case you got some rules blocking websites which you visited and don’t want them to get blocked you can filter the alert tab and search for your rule, get the gen_id and sig_id and create the suppression line for it.
Note: adding new suppression lines won’t take effect unless you restart the interface which snort is monitoring.
clip_image004
 
Hope this was useful to you Smile 

del.icio.us Tags: ,,,,
DNS, Firewalls, Pfsense

How I configured my own name server (Public DNS) on Pfsense

Leave a comment
To configure your own nameserver, first you must have a public domain (domain.com) ..
In this example I will register a free domain from this registrar: www.freenom.com
The process for registration is pretty simple, you will have to follow the wizard and validate your email then sign in to your portal to edit or configure your free domain.
I have already added a new domain for myself which is called ( moh10ly.cf )
clip_image001
To configure name servers, You must fulfill the following prerequisites:

  1. Public static IP.
  2. DNS Package on Pfsense
  3. Firewall that supports static NAT.

Next step: I will click on Manage domain to change the DNS configuration to point it to my own name server
clip_image002
When you get the following window, click on Management tools and choose “Register glue records”
clip_image003
Very important note:
Next add your Name servers (They don’t need to exist as we will create them later) but you will have to create 2 at least and you can point them to the same Public IP address.
clip_image004
Scroll down and you will find an option to add the second dns, you can call it dns2 and point it to the same IP address.
Next save changes, then click on Management tools –> Name Servers and there if you couldn’t find the new name servers you have configured then enter them here.
clip_image005
Save changes again
Now let’s go on Pfsense and setup our Public DNS (Name Server), You will have to go to “System>Packages>Available Packages” and there download “dns-server” or “TinyDns”
clip_image006
When you have finished installing TinyDns you will find it under “Services” menu. Click on it
Once you are there, click on “Settings tab” and on the binding IP address place your Public IP which you’ll use for the name servers. And make sure you use the WAN NIC to listen on.
clip_image007
Save and click on the “New domain wizard” to setup your domain
clip_image008
Click Next
clip_image009
On the next window configure your domain as in the following, make sure that it matches your configuration on registrar’s domain.
clip_image010
Click Next and Finish
Once finished, go to the Add/ Edit record tab and there you will find 4 created records
clip_image011
Next create the root DNS record which is . And point it to the same public IP and any other records that you might have an installed role for like Exchange, IIS ..etc
clip_image012
Now it’s time to configure the firewall to allow inbound queries on port 53. here’s the rule that I have created under (FirewallRules) because I have only one Public IP address on WAN I won’t use a static NAT rule.
clip_image013
I will go back to TinyDns on Pfsense to see the incoming requests for name resolving from public clients.
Under the logs tab I could see the requests I was making from my PC using google as my DNS.. So everything works fine.
clip_image014
That’s it, the configuration of your own Name server is done. Smile

del.icio.us Tags: ,,,
Firewalls, Pfsense

Ping on Pfsense gives “Invalid argument”

Leave a comment
When you enable DHCP server on the NIC that you’re trying to ping from, you get Invalid argument
 
clip_image001
 
If you have enabled DHCP server, the Static ARP option might be enabled by default. To fix the communication issue between clients and the firewall simply disable this option by un ticking the option “Enable static ARP entries”.
 
clip_image002

del.icio.us Tags: ,,
Firewalls, Pfsense, Security

Block Local DNS Traffic from passing over proxy server

Leave a comment
Filter DNS traffic after blocking websites with Squid
Let’s assume that you have installed and configured Squid Proxy to block several categories of websites that you don’t want your users or clients to visit .. 
In some places maybe interference on client machines or applying group policy on AD is not strict thing and might give the option to users to pass through
proxy rules .. so I have considered the same thought and said after I have configured squid proxy to block certain websites (Porn, chat, social…etc) using the
Wpad autodiscover method.. I said in case I change the DNS the user will pass through the proxy and find away to connect to those blocked websites. 
Then I thought what if I can block external DNS queries and let all the DNS queries pass through the Pfsense or my internal DNS..
To do so I have configured my PFsense’s WAN DNS IP to Google (System>General Setup> 
clip_image001
I have added my Local DNS to the DNS resolver  (Pfsense Version 2.2) 
clip_image002
Next I will go to the Rules and go to my LAN (DMZ in my case) and create 3 rules in total as following:
The rules in the figure below will allow any DNS query request from any source through only (Local Address of the Pfsense) and
the second rule will allow DNS requests from the local DNS Server to any DNS server. 
Third rule will blcok any DNS request from anywhere else. 
clip_image003
Which in result will allow all clients to forcefully use the local DNS to resolve names and resolve IPs, but still even if the
user changed his Local LAN/Wifi DNS IP to Google still he’ll be able to connect to the allowed websites from SQUID but
he/she won’t be able to resolve FQDNs through (Nslookup command) for example. 
I’m attaching screenshots to demonstrate how this is working flawlessly. 
As you can see below I have opened google, Flickr, Facebook, gmail, searched for local time and it all worked according to the Squid rules and while still using (8.8.8.8) 
clip_image004
Now I will change the DNS back to the local DNS IP and see if i can resolve internet addresses without an issue and connect as well, which worked fine too.
clip_image005
This is a simple article but I’m sure it could be very useful for those companies who want to block wide range of categories
and force it on to their employees. or for families who want to avoid their kids from doing naughty stuff or watch violent websites. 
From <http://www.moh10ly.com/blog/pfsense/filter-dns-traffic-after-blocking-websites-with-squid>

Technorati Tags: ,,,

Firewalls, Microsoft Exchange, Pfsense

Publishing Exchange on Pfsense 2.1.5

Leave a comment
Note:
Before starting you must know that if you’re going to use the same Public IP (WAN) for Pfsense for Exchange Web service then you must set Pfsense to use a non-standard HTTP/HTTPS port.
First thing, we will have to install Squid 3 plugin to Pfsense
clip_image001
I will click on the Plus sign + next to the Squid3 package to install it.
clip_image002
clip_image003
clip_image004
Now we will have to export the Certificate from our Exchange and import it to the Certificate store in Pfsense.
clip_image005
Now I’ll click on the + on the CAs to import the Certification Authority root certificate
clip_image006
I opened the CA certificate in Notepad++ and copied it all then give it a name and clicked on Save
clip_image007
After clicking on Save here is what I got.
clip_image008
Now I will add the Exchange’s personal certificate and Key and use Digicert’s tool to export the key as in the following screenshot
clip_image009
Now I’ll go back to Pfsense’s portal to the Certificate section to add the Exchange’s certificate, I will go to Certificates tab and click on the + sign to add the cert.
clip_image010
clip_image011
I added the Cert’s code data and the cert’s Key as well, and after I clicked on Save here’s what it looks like.
clip_image012
Now I will go on the reverse proxy tab and configure it for Exchange. First thing I should do is Enable HTTP and HTTPS ports and choose the certificate for Exchange.
clip_image013
Here I have enabled all the ports and choose the right certificate, I will also import the Intermediate certificate in case it was needed.
clip_image014
I will go back to the Exchange Server where I have all the certificates and export the Intermediate Certificate
In order to know the intermediate Certificate, I will go to the MMC and click on the personal certificate and check it’s path.
clip_image015
I will double click on the certificate and check its certification path
clip_image016
Opening the Intermediate certificate store.
clip_image017
I will use MMC Wizard to export the Certificate with Base 64 Encoded option.
clip_image018
After I exported
clip_image019
Now I will enable OWA and fill the information related to it as following.
clip_image020
Next I will go to the firewall (NAT) part to configure the required ports and IPS. Click on Firewall tab and NAT
clip_image021
I will only need to configure the port 25 and 443 since I have a certificate already and want to use HTTPS instead of http.
clip_image022
Here ıs what my firewall looks like right now.
clip_image023
Note: On Exchange server the default gateway should be the LAN IP of
I will save this rule and check if I can browse to OWA from my browser, note that I am connecting remotely and I have Exchange server hosted on hyper V from a different place.
clip_image024
WHOA, It works without any issues but still I’ll sign in and make sure I can still login without any problem.
clip_image025
clip_image026
clip_image027
Now it’s time to make sure that Active Sync is working properly as well. I will first of all test active sync with Remote Connectivity Analyzer www.testexchangeconnectivity.com or https://testconnectivity.microsoft.com
I will have to go to Exchange
clip_image028
Then here I will enter my credentials as you can see below
clip_image029
Test will take about 15-30 seconds to finish
clip_image030
Then here it will show the expected result.
clip_image031
clip_image032
Hope this would be useful for anyone.

Firewalls, Pfsense, Security

Configuring Pfsense on a non standard SSH port with Keys

Leave a comment
In this post I will guide you through the configuration of how to enable SSH accessibility to Pfsense on a non-standard SSH with private keys in order to more strengthen the security of connecting to your firewall.

First thing I will open the web browser to Pfsense then from System tab menu I will click on Advanced
Machine generated alternative text: VSense Cet MN1agU Ava'. Wizud Max Interface
I will scroll down to Secure Shell and enable the secure shell and use different SSH port rather than the standard one 22 and also disable password login for secure shell in order to use configured keys for the user that I wanna allow to connect to SSH.
Machine generated alternative text: Shell been gran D Enable S s. Authen shell Method that has ted Di"ble login shell (RSA/DSA need to be anfgured for each Note: Leave this blank for the default of 22. SSH Conu.umka tbns
After this option is enabled I will go to User Manager and create a new User by pressing on the + button far right
Machine generated alternative text: User Manager m: admin d here. p peaÆ Full name System Administrator fM the Disabled mherited from m difEd but Username Additional u"rs an be adde m be Æhips. an that. An y b. deleted. here {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f} n figuratM adrffns an b. assigned directly object properties e n be o grey ind. d fM other tes that it is. s parts of the ystem defied object. s ch as OpenVPN, and
Then I will want this user to be part of the admin groups in order to have the required privileges to be able to configure anything from the SSH window without any issue.
Machine generated alternative text: C. fm ed by Mem USER sshuser SSH user L/Ær's full name in fw-n tbn b. rsh ips Leave blank if the account shouldnt expire, otherwise enter the expiration date in the following format: mm/ Not Of Hold d c) to Ælect mu Of hiple items CTRL (pc)/COMMAND (m
Then before I save this user I will scroll down and enable the Authorized Key option.
Machine generated alternative text: Mem b. rsh ips Not Of Hold d uÆr ertif.te. d here. c) to Ælect mu Of hiple items CTRL (pc)/coMMAND (m th Click to Paste an au d Key Save Pre -Sh re
In order to configure a Key, I will need to use a free tool to generate a public and private key for the authorization of the user.
In my case I will use Puttygen tool which is free and available to download anywhere on the internet, I will also attach the tool down in this page for anyone to use.
I will run Putty Generator and change the Number of bits in it to make the key harder to crack. So I will put 2048 bits instead of 1024.
Machine generated alternative text: File Key No key Conversions PuTTY Key Generator Help Generate Save private key Save public key Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) @SSH-2 RSA O SSH-2DSA Number of bits In a generated key
I will click on Generate and move my mouse within the putty generator window until the key is generated.
Machine generated alternative text: PuTTY Key Generator File Key Conversions Help Please generate some randomness by moving the mouse over the blank area Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) Number of bits In a generated key Save public key Generate Load Save private key SSH-2 RSA C) SSH-2 OSA
You will have to keep moving your mouse cursor within this window in order for this bar to finish generating your key.
As you can see below the Public and private keys are generated but you will have to type your own “Key Passphrase” as you will need it when you connect to the SSH session.
Machine generated alternative text: PuTTY Key Generator File Key Conversions Help Public key for pasting into OpenSSH authorized keys file ssh AAAAE3NzaC1yc2EAAAA8JQAAAQEAHpkz8HOAZg5a2SHBHSyqwuso„uGtnw2Kz 4VEncsIen1aJqcgemBc17EuFsftSXdLbq12vuijcU7yRGp&EKduion2BAajNIA/mIG3HI akDNgIhmffDRh/wMbtFc83FEwoYyjHrU4WWLJSS1wmOpCG12FNPXDru4Xg7qaxp v Key fingerprint Key comment Key p assphrase 'E key-20141231 Save public key Generate Save private key Confirm p assphrase Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) @SSH-2 RSA O SSH-2DSA Number of bits In a generated key
I will copy the Public key where it says “Public key for pasting into OpenSSH authorized_keys file” and paste it in pfsense in Authorized Keys window
Machine generated alternative text: File Key Public ssh Conversions for astin into PuTTY Key Generator Help SSH authorized AAAAE3NzaC1yc2EAAAA8JQAAAQEAHpkz8HOAZg5a2SHBHSyqwuso„uGtnw2Kz 4VEncsIen1aJqcgemBc17EuFsftSXdLbq12vuijcU7yRGp&EKduion2BAajNIA/mIG3HI akDNgIhmCfDRh/wMbtFcB3FE„YjHrU4WWLJSSlwmOpCG12FAPXDru4Xg7qaxp v Key fingerprint Key comment Key p assphrase Confirm p assphrase 'E key-20141231 Save public key Generate Save private key Generate a public/private key pair laad an existing private key file Save the generated key Parameters Type of key to generate SSH-I (RSA) @SSH-2 RSA O SSH-2DSA Number of bits In a generated key
Machine generated alternative text: paste an au d here.
Then Now I will save both Public and private key in a folder for my own use. Let’s create a folder called (Pfsense_SSH_Key) and save both keys in it
Machine generated alternative text: Save public key as: dew Volume (D:) Pfsense SSH Key Name private key.ppk Public key
Both keys are saved on this folder but I will need to only use the private key with an SSH tool to connect to Pfsense e.g. Putty.
Now I will get back to the user and add some effective Privileges that will allow the user to connect to the SSH, I will click on the + button
Machine generated alternative text: Effective privile ges Inheraed From admins Nan* WebCfg . All pages Allow access to all pages
And from the System Privileges I will add user – system – shell account access and SSH tunneling
Machine generated alternative text: Add privileges System: User manager: S privileg r - Deny Write SBÆtem - Capy files r - - IP„c.uth Dialin - - L2TP r VPN - PPPOE r VPN-PPTpc.'in portal 'gr. - C..pt -System -SSH tunneling WebCfg - All p.geE - (Ell
Then save these settings and then save the user settings.
Machine generated alternative text: System: User Manager admin d here. Full name System Admi mstrator ssH User Disabled mherited from b. modifEd but Username Additional u"rs an be adde m be Æhips. An ian that a ey annot be deleted. here are ppe e bCanfvguratM an be assigned directly object properties an fM the l_/Ær pem grey ind. d fM other tes that it is. s parts of the defied object. s ch as OpenVPN, and
Then configure a Firewall rule with the new SSH port that I have configured in Advanced window, I will go to Firewall tab -> Rules then create a new rule that will allow my public IP address (my work IP address) to my Pfsense’s WAN Address (My Home IP address) on port 2222.
Machine generated alternative text: Firewall: Rules LAN DMZ Source RFC 1918 networks Rese Ned/ not assigned by ID Proto Port Destina tion WAN address Port 2222 Ga tewa y Queue none Schedule Description 3 Ock private Bock
Once this is configured, now I can test SSH connection using Putty tool (Not Putty generator)
Type the IP address in the hostname field, then the port address that I configured for SSH and select SSH under Connection Type
Machine generated alternative text: Cat egory Logging Terminal Keybo ard Features E Window Behaviour Translation Selection Colouæ Connection Data Telnet Rlogin + SSH Serial PuTTY Configuration Basic options for your Pu TTY session Specify the destination you want to connect to Host Name (or IP address) Connection type C) Raw C) Telnet C) Rlogin @SSH laad save or delete a stored session o Serial Save Delete Saved Sessions Defautt Settings H p VAN Controller Zentyal Close window on exit Aways C) Never @Only on clean exit
Before clicking on Open to open the connection I have to load the private key from SSH -> Auth
Machine generated alternative text: Cat egory Terminal Keybo ard Features E Window Behaviour Translation Selection Colours Connection Data Telnet Rlogin SSH Auth PuTTY Configuration Options controlling SS H authentication Bypass authentication entirely (SS H-2 only) Display pre-authentication banner (SSH-2 only) Authentication methods ktempt authentication using Pageant kempt TIS or CryptoCard auth (SSH-I) ktempt 'keyboard*nteractive" auth (SSH-2) Authentication parameters Alow agent forwarding Alo'* attem ed chan es of usemame in SSH-2 Phvate key file for authentication D XPfsense S S H Keybhvat e key .ppk Browse
Now I will click on Open, it should give you a warning when it opens up
Machine generated alternative text: PuTTY Security Alert The server's host key is not cached In the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 If you trust this host, hit Yes to add the key to PulTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache hit No. If you do not trust this host, hit Cancel to abandon the
Click Yes and continue then type the Username that I setup and the passphrase that you set it up.
Machine generated alternative text: login as: sshuser Authenticating with public key Passphrase for key
After successful login it will show the following and here you can startt
Machine generated alternative text: login as: sshuser Authenticating with public key Passphrase for key copyright (c) 1920, 1923, 1926, 19EE, 1990, 1991, 1993, 1994 The Regents of the University of California. rights reserved . 12 1 . s-RELEÄSE) IsshuserÉl / home/sshuser
I am going to try and show the network configuration by typing Ifconfig …
Machine generated alternative text: login as: sshuser Authenticating with public key Passphrase for key copyright (c) 1920, 1923, 1926, 19EE, 1990, 1991, 1993, 1994 The Regents of the University of California. rights reserved. 1 so 12.1 de O del de2. enco s-RELEÄSE) Isshuser al / home/sshuser (I) . metric O mtu oxl fl , BROADCAST , RUNNING, PROMISC, SIMPLEX, MULTICÄSD ether les. scope id i net IES.: netmask OxffffffeO broadcast i nets feEO: : 215: Sdff:fe34: prefixlen €4 media: Ethernet autoselect (100baseTX) status: active fl , BROADCAST , RUNNING, SIMPLEX, MULTICÄSD ether 00 i net 192 IEE I ISS netmask OxffffffOO broadcast i nets feEO: : 215: Sdff:fe34: 7 eac*del prefixlen €4 media: Ethernet autoselect (100baseTX) status: active fl , BROADCAST , RUNNING, SIMPLEX, MULTICÄSD ether OO metric O mtu ISOO 192.1€E.1.2ss scope id Ox2 metric O mtu 1 soo i net 10 10.0 ISS netmask OxffffffOO broadcast 10 10.0. 2 SS i nets feEO: : 215: Sdff:fe34: 7ead*de2 prefixlen €4 media: Ethernet autoselect (100baseTX) status: active flags—O-O metric O mtu 1536 scope id Ox3 O mtu 16324 pfsyncO: flags—O-O metric O mtu 1460 syncpeer: 224.0. 0.240 maxupd: 12B syncok: I 100: metric opt i
So everything seems to be working as expected, If you want to provide more admin privileges to this particular user you will have to login as the admin and from the user’s “Effective Privileges” section add more system privileges to it.
Hope this helps.

Firewalls, Pfsense, Security

Setting up Snort on Pfsense

Leave a comment

If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.)
then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.
In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old IDPS systems around.
In order to do so you will have to go to Packages from System/Packages and install it
Machine generated alternative text: FSense Sy*em Cet I-WI AWL S-ä» {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}zud Platform CPU Type Uptime Current date/time Interface ard Firewall Service EDT 2014 Status Interfa ces WAN LAN DMZ Gold 185.23.75.124 192.168.1.155 t 203b—-rx 10.10.0.155 Hep * pfsens .5-RELEASE (a md64) It on Mon Aug 25 easD 8.3-RELEASE-p16 aining update status pfSemse Intel(R) Xeom(R) CPU ESS30 2.40GHz 4 CPUs: I package(s) x 4 core(s) 01 Hour 26 Minutes 54 Seconds sun 28 EET 2014
After clicking on the packages button, you will get a list of packages and among them snort will be listed there
Machine generated alternative text: Security Click package nanæ to accBs its website. Stable 2.9.7.0 pkg v3.2.1 platform: 2.1 Snort is an open source network intnßon preænbon and detection system (IDS/IPS). the benefits of nod, and anomalybased i rwpecton. Package i No
Click on the + on the far right to start the installation process.
Machine generated alternative text: System: Package Manager: Install Package Cancel p kage p kage package: will in the stilled. Confirm
I’ll Click on Confirm to continue
Machine generated alternative text: System: Available Package Manager: Install Package kag e In snort installation completed. Loading package instructions. . Custom commands.. . Executing custom_php install command() . done . Executing custom_php resync . done . Menu items . done . Serwices... done . Writing configuration.. Installation completed. snort setup instructions: done . Please visit the Snort settings tab first and select your desired rules . Afterwards visit the update rules tab to download your configured rules .
After it’s been installed now you’ll be able to see it on the Services menu tab.
Machine generated alternative text: FSense System: Awilable Interface Firewall S8Vice way server way Load se-v« Pro». sew Rewse Pro». & MT-PPP LAN Status . done . t and sel download Package Manager: kag snort installation co Loading package instr Custom commands.. . Executing custom_php Executing custom_php Menu items.. done . Serwices.. done. Writing configuration Installation complete snort setup instruct Please visit the Snor Afterwards visit the
Click on Snort and let’s go configure it.
Machine generated alternative text: Services: Snort 2.9.7.0 pkg v3.2.1 Barnyard2 IP Lists SID Mgmt Description Mgmt Sync Sn In Interfa ce Note : Global Settings U p d ate Ale Block Snort Performa nce This is the Snort Menu where you can see an overview of all your interface settings.please visit the Global Settings tab before adding an interface. New settings will not take effect until interface restart. Click on the icon to add an interface. Click on the Icon to edit an interface and settings. Click on the icon to delete an i ntefface and setti nos. icons will show current snort and barnyard2 status. Click on the status icons to toggle snort and barnyard2 status.
Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort
communities which publishes important rules that tells snort what to check.. Similar to the firewall’s rules.
The websites are as following and you can find their settings under the Global settings tab in snort window
I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up
I’ll need to activate my account.
Machine generated alternative text: Sign UP Email Please enter your Email Password Password confirmation . Agree to Sign up Sign in Didn't receive confirmation instructions?
Machine generated alternative text: ScarcH_ Get started with the world's Cet Started a most powerful detection software Download Snort and the rules Rules a you need to stay ahead of the latest threats Keep up-to-date with the latest Documents changes and documentation Documents Downloads Products Community Tcßos Contact Sign In Snort 30 Alpha A vailab/e
I have receieved the confirmation now and I’ll confirm my account now, Once confirmed Snort will provide you with a code called VRT
Oinkmaster confirmation code.
Machine generated alternative text: noreply@snort.org via sendgrid.info to me 'J Welcome mail.com' You can confirm your account email through the link below: Confirm my account Please do not reply to this automated message.
When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side.
Copy the code and paste it to your snort on pfsense.
Machine generated alternative text: ScarcH_ ogmail com Oinkcodc Account dc3417286d133fge161 Oinkcode Rcgcncratc Subscription Documents Downloads Products Community Tcßos Contact - ,agmailcom
Just like this
Machine generated alternative text: S n In te Global Settin g s *ase Choose The You WÉh To Instill VRT IP Lists SID Mgm t Mg m t sync Snort VRT free Registered User or paid Subscriber rules Up Rule Up VIRT Rule-s Snort VRT Oinkmaster Configura tion dc3417286d133fga
So after I added the code this is how my Global Settings tab looks like  (I enabled all the other free rules as well)
Machine generated alternative text: Snort: Global Settings Global Settings Update *ase Choose The You WÉh To Supp SID Mgm Mg m t Sync Instill VRT Install Inst. I Install Op Snort VRT free Registered User or paid Subscriber rules Up fre Rule Up VIRT Rule-s Snort VRT Oink master Configura tion 2154dc3417286d1 Obtiin it The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge without any VRT Ljcemse restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset. Note: If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set. ETOpen is an open source set of Snort rules whose coverage is more limited than ETPro. ETPro for Snort offers daily updates and extensive coverage of current malware threats. Up an ETPÆ Note: The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are automatically disabled when the ETPro rules are selected. The OpenAppID package contains the application signatures required by the ApplD preprocessor. Note: You must enable download of the OpenAppID detectors package in order to utilize the Application ID preprocessor and any user-provided application detection rules. Once enabled, go to the LIPNTES tab and click to download updates. OpenAppID Detection Package Installed Detection Package Version—22S VER: ity
Machine generated alternative text: Ruks UMfate update Interval update Start Time Bloc'.d Interval Bloc'.d After D. install Keep SnMt Settings After to the 7 DAYS Please select the interval for rule updates. Choosing NEVER disables auto-updates. Hint: in most cases, every 12 hours is a good choice. 0 00: 05 Rules wil upda ofoo:o 7 CAYS Hint: in Enter the rule update start time in 24-hour format (HH:MM). Default is 00:05. te at the mtervalch hooslng 22 lect the gwi starting at the time specifEd here. FM example, u the default start each day for the nt of time l. the r will updite and 22:OS t 00:0 hosts to be bloc'.d. umg pacl.ge den All hosts d de d by will b. d Settings will not re Output detailed Save d dunng pacl.ge d stopping. Default is C. inst. I Sta u td Log g mg log when SnMt is starting an Note: Changing any settings on this page will affect all Snort-configured interfaces.
Now I will go to Updates tab and start updating rules tab. After clicking update this is how it will look like:
Machine generated alternative text: Services: Snort: Update Rules There is a new set of Snort VRT rules posted. Downloading.
When finished this is how it’ll look like
Machine generated alternative text: The Rules update has finished.. The rules update task is complete.. .
Once Finished this is how the updates tab will look like
Machine generated alternative text: Snort: Updates Global Settings Rule Set Name Publisher snort VRT Rules Snort GPLv2 Community Rules Emerging Threats Open Rules Snort OpenAppID Detectors S u pp INSTALLED RULE SET MDS SIGNATURE M D5 Signature Hash 4ssa8281b7cfcaoss263S6dof16c4362 7936110c28eag37f2g3d7e1adg83ae24 aeeac27aOae7dSOOafdbg06dbdIeOc77 oesffosoa06607fc1748gcaab84g32d3 UPDATE Y(NJR RULE SET Last update: 2014 16:28 Result: success SID Mgm Mg m t Sync M D5 Signature Date Monday, 2g-Dec-14 EET Tuesday, 30-Dec-14 EET Tuesday, 30-Dec-14 EET Tuesday, 30-Dec-14 EET Update Force MANAGE RULE SET LOG View Clear The log file is limited to 1024K in size and automatically clears when the limit is exceeded. NOTE: Snort.org and EmergingThreats.net will go down from time to time. Please be patient.
If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort
you must consider going to Pass Lists and add your IP (Either private if you’re planning to enable the LAN Interface or Public IP if you’re
planning to include WAN Interface).
Machine generated alternative text: Snort: Pass Lists S n In Global S etfings List Name Notes: p d ate Assigned Alias Lists Supp SID Mgm t Mgm t sync I. Here you can create Pass List files for your Snort package rules. Hosts on a Pass List are never blocked by Snort. 2. Add all the IP addresses or networks (in CIDR notation) you want to protect against Snort block decisions. 3. The default Par. List includes the WAN IP and gateway, defined DNS servers, VPNs and localbeattached networks. 4. ae careful, it is very easy to get locked out of your system by altering the default settings. Remember you must restart Snort on the interface for changes to take effect
In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are
never going to be checked or filtered by Snort.
In order to create an Alias List, click on Firewall Tab and scroll to Alias
Machine generated alternative text: VSense Interface Snort: Pass List Edi Firewall Service S G bbal Tr*fic Virtu* IPS Add the "ane
Once in IP list page click on the + button far right to add the Ips that you would like to pass.
Machine generated alternative text: Firewall: Aliases URLs All Name Note : Values Aliases act as placeholders for real hosts, networks or ports. They can be used to minimize the number of changes that have to be made if a host, network or port changes. You can enter the name of an alias instead of the host, network or port in all fields that have a red background. The alias Will be resolved according to the list above. If an alias cannot be resolved (e.g. because you deleted it), the corresponding element (e.g. filter/NAT/shaper rule) will be considered invalid and skipped.
From type select the type of hosts that you’d like to include there, for me I’d like to include only a couple of Ips
Machine generated alternative text: Firewall: Abas E'Et Description Type Host(s) Aliases: Edit Public LPs The name of the alias may only consist of the characters "a-z, A-Z, 0-9 and You may enter a description here for your reference (not parsed). Host(s) Enter as many hosts as you would like. Hosts must be specified by their IP address or fully qualified domain name FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPS are returned by a DNS query, all are Used. 212.253.: Save Ca ncel work IP
Click Save and Apply then Close then go back to Snort’s Pass Lists and click on + to add new Pass list.
Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save.
Machine generated alternative text: Snort: Pass List Edit - passlist 11465 S In G bbal Settings U p date Add the "ane and 'kscrg»tøn of the passlist 11465 Lists IP Lists SID Mgm t Mg m t sync The list name may only consist of the characters "a-z, A-Z, 0-9 and You may enter a description here for your reference (not parsed). Add auto-generated IP Addresses. ". Note: No Spaces or dashes. WAN LPs WAN Gate WAN DNS Virtual IP AddresÆS Add firewall Local Networks to the list (excluding WAN). Add WAN interface to the list. Add WAN Gateways to the list. Add WAN DNS servers to the list. Add Virtual IP Addresses to the list. Add VPN Addresses to the list. Add cestom IP Addresses from AEases. Assigned Public Save Cancel
Once saved, this is how the pass lists is going to look like
Machine generated alternative text: Snort: Pass Lists S In G bbal Settings Name passlist 11465 Notes: U p d ate Assigned Alia Public Lists IP Lists SID Mgm t Mg m t sync Description I. Here you can create Pass List files for your Snort package rules. Hosts on a Pass List are never blocked by Snort. 2. Add all the IP addresses or networks (in CIDR notation) you want to protect against Snort block decisions. 3. The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and localbeattached networks. 4. ae careful, it is very easy to get locked out of your system by altering the default settings. Remember you must restart Snort on the interface for changes to take effect
Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I’ll click on Snort Interfaces tab and click + to add the new interface
Machine generated alternative text: Services: Snort 2.9.7.0 pkg v3.2.1 Supp Barnyard2 IP Lists SID Mgmt Description sync Sn In Interfa ce Note : G lob WI Settings Update Block Snort Performa nce This is the Snort Menu where you can see an overview of all your interface settings.please visit the Global Settings tab before adding an interface. New settings will not take effect until interface restart. Click on the icon to add an interface. Click on the icon to edit an interface and settings. Click on the Icon to delete an i ntefface and setti nos. icons will show current snort and barnyard2 status. Click on the status icons to toggle snort and barnyard2 status.
Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .
Machine generated alternative text: Snort: Interface - Edit Settings Sn In Setting s Enable ble Prep Supp w Lis-ts SID Mgmt Mgmt sync 2 IP Rep In Akrt Send Alerts to Offenders Kill Sta tes Which IP to m Logs SnMt alert. WAN Choose which interface this Snort imstance applies to. Hint: In most cases, you'll want to use WAN here. WAN Enter a meaningful description here for yourreference. will Ænd Alerts to the logs. Checking this will hosts that genera Checking this will kill states fM the bloc'.d IP both Hint: choosin Select which extracted the paclæt wish to block ggested, nd it is the def.ult valu Performance
Machine generated alternative text: Performance to sin Ch fast patte matcher algorithm. is AC-BNFA. Search Method split ANY-ANY S. arch Optim. AC-BNFA LOWMEM and AC-3NFA are recommended for low end systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found, AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, AC-aANDED: small memory,moderate performance, AC-SPARSEåANDS: small memory, high performance. Enable splitting of ANY-ANY is Not . This Ætting memory/perforr-nan tr. It re dues m mory footprint by not putting the ANY-ANY part group gle port g roup. But dong require two port gro fM the ANY-ANY thus potentially reduang roup, but instead splits theÆ ru les Off In mto port g evaluations per paclæt - fM the specifE and perforr-nane. Enable arch . is . Stre m rts Check Di"ble This Ætting fast patte memM-y when d with Æarch-methods AC AC-SPLIT by dynamically dete"-n the of. state d on the total umber of states. When uÆ d with AC-BNFA, fail-state b. attempted, potentially perforr-nane paclæts agamst the engme. Do not stream This potential perforr-nane impro the idea the stream re built paclæt wil the the stream inÆ rted paclæt does n ot need to be luated. "y "fe to check this checknrn checking within SnMt to Hint: Most of this is E Ire.dy done at the it is
Here from Pass List I will select the list which I’ve created in the Pass List tab
Machine generated alternative text: Choose the networks {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}ort shoukf and whit*t V L ist this for PE E List to cus Alert SuppreÆion and d VIPs. or to shou List here default Net Exte Choose the Home Net you want this interface to use. Note: Default Home Net adds onw networks, WAN LPs, Gate Hint: Create an Alias to hold list of friendly LPs that the L ist want this mterfa that are not the Extemal Net Note: Default Extemal Net is ne Hint: Create List and add an Alias to it, to and then sto m at default. I Net Ættings. ttin g Exte Net. Most ssign the list 2 24ss V List ways. VPNs an Choose the Pass List you want this interface to use. Note: This option will H.nt: The def.ult Choose a or Ntermg if desied def. u It only be d when block offenders is List netAorG. WAN LPs. 'Site L ist d VIPs. Create an Filtering Choose the suppression or filtering file you want this interface to use. Note: Default option nppre"ion an Argemænts here w" automatka"y mserted "'to the {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}ort Ad ined p. "-through d filtering.
As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.
Machine generated alternative text: FSense Syäem Interfaces Firewall Service Status Supp Barnyard2 DISABLED Diagnostics Gold Hep Mg m t * pfsen Sync Services: Snort 2.9.7.0 pkg v3.2.1 Sn In Interfa ce CJ WAN G bbal Settings pdate Block EFLA3LED IP Lists SID Mg mt Description WAN Snort Performa nce Ac-a"l A (D WARNING: Marked i Snot is not running on WAN. Click to stat. Note : This is the Snort Menu where you can see an overview of all your interface settings. New settings Will not take effect until interface restart. Click on the icon to add an interface. Click on the icon to edit an interface and settings. Click on the Icon to delete an i ntefface and setti nos. icons will show current snort and barnyard2 status. Click on the status icons to toggle snort and barnyard2 status.
After enabling the WAN interface you will have to go define some rules and enable them.
Machine generated alternative text: Services: Snort 2.9.7.0 pkg v3.2.1 Supp Barnyard2 DISABLED IP Lists SID Mgmt Description WAN Mg m t Sync Sn In Interfa ce CJ WAN Global Settings pdate Snort Performa nce (D Ac-a"l A Block EFLA3LED (D WARNING: Ma rked interface currently has no rules defined for Snort Note : This is the Snort Menu where you can see an overview of all your interface settings. New settings Will not take effect until interface restart. Click on the icon to add an interface. Click on the icon to edit an interface and settings. Click on the Icon to delete an i ntefface and setti nos. icons will show current snort and barnyard2 status. Click on the status icons to toggle snort and barnyard2 status.
Let’s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.
We should go to WAN Categories and select different category in order to apply rules.
Machine generated alternative text: Snort: Interface WAN - Categories G bbal SetEngs Sn In Supp W AN 2 SID Mgmt sync w AN IP Rep WAN WAN settings w AN categ tÉ resoh'tøn w AN Rule W AN Væiab w AN Prep Resolve Flowbits Auto Flowbit Rules If checked, Snort will auto-enable rules required for checked flowbits. The Default is Checked. Sn will Note: the "'E in ch fu Any that —t th— will be to the list of in the Click to view auto-enabled rules required to satisfy flowbit dependencies their GIC:SLC to the List the {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}ort VRT IPS Po&y sekctøn Use IPS Policy Policy Selection If checked, Snort will use rules from one of three pre-defined IPS policies. of the SnMt VRT rule to ths Selecting this disable Note: Y of Snut VRT In the list although Th r—ts still if the Globil Settings tab. Th— will be to the pre- defied SnMt LPS policy the SnMt VRT. Snort IPS policies are: Connectivity, Balanced or Security. b&ks mst thr—ts with no file is stNW policy It is h and the It includE rule in is It plus rulEnch in sn Exal file. the fist
Note:
Enabling all rules might affect your VM or PM’s processor performance.
Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community.
Machine generated alternative text: the {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}ort w" bad at starte» All All Click to save changes and auto-resolve flowbit rules (if option is selected above) Enabled Ruleset: Snort Text Enabled snort snort snort snort snort sno sno sno snort snort : snort SO bad-trafficso.rules browser-ieso.rules browser-other so. rules browser-plugins so. rules chatso.rules dos so. rules exploit-kitso.rules exploitso.rules file-executableso.rules file-flashso.rules Ruleset: Snort GPLv2 Community Rules Snort GPLv2 Community Rules (VRT certified) Ruleset: ET Open emerging-activeX. rules emerging-attack respomse.rules emerging-botcc.poftgrouped.rules emerging-botcc.rules emerging-chat. rules emergi ng-ciarmy.rules emerging-compromised. rules emerging-current events.rules emerging-deleted. rules emerging-dms.rules bled snort snort snort sno sno snort snort snort snort snort app-detect.rules attack-responses. rules backdoor. rules bad-traffic. rules blacklist.rules botnet-cnc.rules browser-chrome.rules browser-fi refox. rules browser-ie.rules browser-other. rules
Once added, you will have to apply changes and then click on Apply …. And for any reason the service did not start as in the below
snapshot then you should navigate to Status tab and check the “System Logs”
Machine generated alternative text: Services: Snort 2.9.7.0 pkg v3.2.1 Barnyard2 DISABLED w Lists SID Mg Description WAN Sync Sn In Interfa ce WAN G Settings Snort U p d ate Ale Performa nce Block EFLA3LED
In System logs I noticed the following error:
Machine generated alternative text: Dec 30 Dec 30 Dec 30 Dec 30 Dec 30 Dec 30 php: php: php: php: /snolt/snolt /snolt/snolt /snolt/snolt /snolt/snolt rules.php: rules.php: rules.php: rules.php: (Snort) Updating rules configuration for: WAN (Snort) Enabling any flowbit-required rules for: WAN... (Snort) Building new sig-msg.map file for WAN... (snort) snort RELOAD CONFIG for WAN(deo)... .ruIes(427) Unknown rule option: snort(S8603): ATAL ERROR: /usr/pbi/snolt-amd#/etc/snolt/snolt 6026 deo/rules/snolt 'sd_pattern'. kernel: deO: promiscuous mode disabled
After doing a lot of digging on this error it seems that it’s caused by the rule “Sensitive Data” and after disabling all the rule set in this rule
I was able to start Snort on WAN again.
Machine generated alternative text: Snort: Interface WAN - Rules: sensitive- U p d ate data.rules Supp SID '"m t '"m t Sync WAN IP Rep WAN WAN settings WAN Select th w AN WAN Rules WAN Prep tegMy to WAN 2 Ava "a bk Ruk CategorÉ-s ID (SID) Apply Note: When finished, click APPLY to save and send any SID enable/disable changes made on this tab to Snort. Remove Enable/DisabIe changes in the current Category Remove all Enable/DisabIe changes in all Categories Disable all rules in the current Category Enable all rules in the current Category View full file contents for the current Category Catewry's $HOME_ $HOME $HOME $HOME_ $HOME_ Category Rules Summary NET NET NET NET NET Destina tion Message SENSITIVE-DATA credit card Numbers SENSITIVE-DATA U.s. social security Numbers (vith dashes) SENSITIVE-DATA U.s. social security Numbers (w/out dashes) SENSITIVE-DATA Email Addresses SENSITIVE-DATA U.s. Phone Numbers EXTERNAL $EXTERNAL $EXTERNAL $EXTERNAL_ SEXTERNAL_ NET NET NET NET NET Total Rules: S Enabled: O Disabled: S User Enabled: O Rule is Rule is User Disabled: S Auto-Managed: O
When this is done, I will test snort if it’s working by simply try to hack into pfsense’s portal by using wrong passwords for let’s say
10/20 times and see if my IP will get blocked (I’ll use a different Public IP which is not in the pass lists)..
After trying about 7 attempts with wrong username and password I tried refreshing the page
Machine generated alternative text: FSense Username or Password incorrect Enter username and password to login. Login
Here is what I got
Machine generated alternative text: http Apps pfsense C Cl pfsense. index.php For quick access, place your bookmarks here on the bookmarks bar. Imoort bookmarks now This webpage is not available
I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was
trying to connect from was
Machine generated alternative text: 185Z111
As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)
So that means that our snort works as it’s supposedly expected to.
Machine generated alternative text: Snort: Blocked Hosts S n Glob wl S eth n g s Bbcked '-bsts Log Auto Refresh and Log View Last 500 '-bsts Bbcked by {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}ort U p d ate Re All hosts will b. . fresh ON. w SID Mgm t Mgm t Sync 500. g. hosts will b. rernm.d. mber of en 500 tries to - 12/30/14- w. is Enter nu 185—111 Alert Description (littp inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONS I host IP address is currently being blocked.
Chrysanth WebStory I manage my blogs, Twitter and photos with WebStory

Firewalls, Pfsense, Security

Block Facebook on Pfsense using WPAD Autodiscover feature

4 Comments

Block Facebook on Pfsense using WPAD Autodiscover feature

How to Block Facebook on HTTPS on Squid proxy server without importing IPS/CIDR or configure Clients browsers for the Proxy settings using the WPAD Autodiscover for Squid feature

Note:
Before you begging reading this article, you must have the proxy filter configured to deny SocialNet in the blacklist in Service / Proxy Filter / Common ACL


In order to block Facebook or any other website on HTTPs protocol on pfsense (SQUID) without finding all the CIDR or IPs to block facebook or any other website’s IPs we will have to use the Squid proxy’s Autodiscover feature which uses Wpad file .. Let’s say similar to how Exchange uses Autodiscover’s XML file.
Prerequisites
  1. In order to be able to block sites on HTTPS you will need to have SQUID Guard proxy installed and configured on Pfsense. If you don’t know how you can look it up under my Pfsense web page. 
  2. In order to use this feature you will have to disable the transparent mode on Squid server, To do so navigate to proxy server under the Services Menu then Proxy Server then un-tick the Transparent HTTP proxy.
  3. You will need to have the DHCP server up and running and you will need to create a DHCP option 252 that will provide the HTTP path to the files that we will create further on.
  4. DNS Server configured for the domain the clients use and in order to add a required A record value for the wpad.


Autodiscover Files
Then we will have to create the following files in Notepad and save each of them with a specific extension as in the below snapshot

The 3 files contain the same contents inside them “This is a single file with a JavaScript function which tells the browser how to find a proxy hostname and port” which is Squid Proxy server’s IP or Pfsense’s IP, I will open one of them and show you what I have inside this file.
Note: in my case this is the IP of my Pfsense server which has Squid installed and configured on it.

Once these files are saved, I will use a very simple HTTP server tool to host them on any of my servers on a specific port which clients can reach without any problem. My favorite tool is HFS which you can download from here
Web Server Configuration
  
After running the HFS appliaction I will run it on the port 8085 and load all the files as in the following snapshot
You can simply load the files by dragging and dropping them under the “Virtual File System” on the right pane.
DNS Configuration
Once this is done we will have to configure the WPAD record on our DNS server with A record pointing to the server where the files are hosted “In my case I have installed the HFS on the AD/DNS server” that has the IP 10.10.0.150

Next I will go the client and check if I can resolve this wpad … 

I have tried to resolve the name but apparently the nslookup is not finding the record that I have created although it’s in the DNS, I have tried ipconfig /flushdns, tried restarting the DNS service but nothing solved the problem
Lastly I went to the DNS logs and checked if there’s anything worth noticing there and here’s what I got Error event ID 7600
Googling online with this error got me to this Microsoft KB
All I had was to open registry editor and delete the wpad key from the GlobalQueryBlockList value as following
Here is what it looks like after deleting the wpad
Click Ok and make sure you Restart the DNS Server.
On the client I will flush the DNS cache and do another nslookup attempt.

DHCP Server configuration
the DHCP server’s options as required in the prerequisites earlier. I have my DHCP configured on Pfsense server and now I will configure the DHCP as following.

Here I have clicked on Advanced next to the “Additional BOOTP/DHCP options and in Number I entered the DHCP option that I would like to configure and chose String since it’s WPAD. And on the value side I entered the path for the Wpad URL where I ran the HFS application and made sure it’s accessible by clients.

Next I saved everything and will go to both the HFS to monitor clients activity if they are requesting the file or not and I will go the client and request Facebook on HTTPS.
Note:
In order for the autodiscover (Wpad) feature to work your Internet explorer/Firefox must be set to use the Audo detect settings.
On the HFS Server (My AD) I will look up for any logs that will be reported once I start browsing. Now it’s empty
I will go back to the client and browse Google for example.

Here, I have tried on the client side to open Facebook on https but it didn’t work but other websites are working just fine! 

What happened on the HFS server is that the client on Internet Explorer has requested the file “Proxy.pac” file for the settings which means that all of our settings are working properly.
Note:
The only thing I have done on the Proxy Filter to disable Facebook was to Socialnet which includes all the social media websites. In case you want to block only Facebook and leave twitter you will have to extract the blacklist and create your own facebook folder and text file to include all the facebook URLs and then upload it to your own FTP or web server.

Reference:
Chrysanth WebStory WebStory: Blog backup made easy!