Category Archives: Snort

Setting up Snort on Pfsense

If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.
In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old IDPS systems around.
In order to do so you will have to go to Packages from System/Packages and install it
After clicking on the packages button, you will get a list of packages and among them snort will be listed there
Click on the + on the far right to start the installation process.
I’ll Click on Confirm to continue
After it’s been installed now you’ll be able to see it on the Services menu tab.
Click on Snort and let’s go configure it.
Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall’s rules.
The websites are as following and you can find their settings under the Global settings tab in snort window
I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I’ll need to activate my account.
I have receieved the confirmation now and I’ll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.
When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense.
Just like this
So after I added the code this is how my Global Settings tab looks like (I enabled all the other free rules as well)
Now I will go to Updates tab and start updating rules tab. After clicking update this is how it will look like:
When finished this is how it’ll look like
Once Finished this is how the updates tab will look like
If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you’re planning to enable the LAN Interface or Public IP if you’re planning to include WAN Interface).
In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.
In order to create an Alias List, click on Firewall Tab and scroll to Alias
Once in IP list page click on the + button far right to add the Ips that you would like to pass.
From type select the type of hosts that you’d like to include there, for me I’d like to include only a couple of Ips
Click Save and Apply then Close then go back to Snort’s Pass Lists and click on + to add new Pass list.
Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save.
Once saved, this is how the pass lists is going to look like
Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I’ll click on Snort Interfaces tab and click + to add the new interface
Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .
Here from Pass List I will select the list which I’ve created in the Pass List tab
As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.
After enabling the WAN interface you will have to go define some rules and enable them.
Let’s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.
We should go to WAN Categories and select different category in order to apply rules.
Enabling all rules might affect your VM or PM’s processor performance.
Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community.
Once added, you will have to apply changes and then click on Apply …. And for any reason the service did not start as in the below snapshot then you should navigate to Status tab and check the “System Logs”
In System logs I noticed the following error:
After doing a lot of digging on this error it seems that it’s caused by the rule “Sensitive Data” and after disabling all the rule set in this rule I was able to start Snort on WAN again.
When this is done, I will test snort if it’s working by simply try to hack into pfsense’s portal by using wrong passwords for let’s say 10/20 times and see if my IP will get blocked (I’ll use a different Public IP which is not in the pass lists)..
After trying about 7 attempts with wrong username and password I tried refreshing the page
Here is what I got
I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was
As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)
So that means that our snort works as it’s supposedly expected to.

If this has helped you, please leave a comment Winking smile Tags: ,

What is Suppressing in Snort? And how to use it (Basic Tutorial)

Suppression allows an administrator to control how many alerts are generated from (or to) a given host or for a particular signature. 
What does it do exactly?
Suppression prevents rules from firing on a specific network segment without removing the rules from the ruleset. By using suppression, ruleset can be quickly turned for a specific environment without disabling rules that maybe useful in general.
How it works?
Assuming that you want to download an executable file/content from any website. If you have ticked all the rules in snort for your wan connection, Snort will alert this and block it in case you have the block option enabled as well. You will get something similar to this alert in the alert tab.
And in Block tab, You will get something like this :
This is a website that I visited “” to download a FTP application but snort alerted and blocked the download host IP which is “”
Now By adding a suppression line to snort suppression tab, the rule sid:16313 which happens to be a “download of executable content with x head”, will not fire again in the alerts tab after I add the following line to the suppression list.
The first line with the hash in the beginning is just a title for the rule to remind you later what it exactly does.
The gen_id 1 and sig_id will usually appear in the alert tab so in case you got some rules blocking websites which you visited and don’t want them to get blocked you can filter the alert tab and search for your rule, get the gen_id and sig_id and create the suppression line for it.
Note: adding new suppression lines won’t take effect unless you restart the interface which snort is monitoring.
Hope this was useful to you Smile Tags: ,,,,