This article explains how to set up an IDS/IPS system using Snort of PfSense 2.4. There are other howtos; this documentation is mainly for my own benefit.

If my documentation helped you, please consider clicking some of the ads on this page. It won’t make me rich but I would know someone found it useful :) If you’re really euphoric about it there’s also a PayPal donation button on the right.

Open the screenshots in a new tab to get the full versions.

IDS/IPS
An Intrusion Detection System (IDS) is a method to identify malicious network traffic. An Intrusion Prevention System (IPS) is a method to act upon that identification and keep that traffic from reaching clients on your network.

IDS/IPS is accomplished with Snort or Suricata. These two programs offer the same functionality but Snort is older, better documented and better known and Suricata is newer, a bit more efficient in some places but less well documented.

Snort
Snort/Suricata is the software that does the actual identification and blocking; they both need lists to scan against. Snort offer their own list which comes in two flavours: categorized and uncategorized. You can use the uncategorized list without a Snort account; the categorized list is much easier to understand and use but requires a Snort account. This account comes in three flavours (prices at the time of writing per year per sensor (=basically per firewall)):
– free but at least 30 days old;
– personal (US$ 29,99)
– Business (US$ 399)

It is possible to use the Snort list in Suricata but there are some minor incompatibilities. It will probably just work but Suricata may swear at you sometimes. The PfSense forum has some suggestions and opinions on the matter.

Emerging Threats
Another list provider is Proofpoint’s Emerging Threats (ET) list. This one is free of charge but not categorized and appropriate for both Snort and Suricata. They may also offer commercial solutions. If they would fix their site and remove the management sauce we would probably be able to find what they do and do not offer.

Easiest for the purpose of this document is to create a free Snort account and use Snort with the 30 days old list, get to know the system and then either change to Suricata or pay for Snort.

Note that running IDS/IPS and virus scanning can be rather resource hungry so make sure your hardware is up to it. Also keep in mind that for the first few days in production Snort/Suricata will probably need some finetuning.

Sources
https://rules.emergingthreats.net/open/
http://www.squidguard.org/
https://snort.org/
https://forum.pfsense.org/index.php?topic=61018.0
http://www.shallalist.de/

Versions
PfSense 2.4.1-RELEASE
We will install Snort with the older lists because those are free and the setup is identical to the paid versions.

Go to System > Package Manager > Available Packages. Find Snort and click Install.

Create an account on Snort.org, sign in and find your “Oinkcode”, which looks something like “p9k2m4swnrvjhdiolnjredlwl3bqliq27mfa4r” (this particular code is bogus).

Go to Service > Snort > Global Settings. Check ‘Enable Snort VRT’ and put in your Snort Oinkmaster Code.

Set Update Interval to 12 HOURS or whatever you think is a sane value. I suggest you change the Update Start Time to some other value than the default so as not to hammer the Snort servers too much.

Remove Blocked Hosts Interval: 1 HOUR, or whatever you think is right.

Services > Snort > Updates > Update Your Rule Set; click Update Rules. Make sure the result is success, otherwise troubleshoot until it is. Use the Force Update button if necessary.

Now that Snort can retrieve definitions we’re going to tell it where to scan. In a basic router setup there are two options: WAN and LAN. Since traffic goes from one to the other it doesn’t much matter which we choose. If you have more than one LAN-facing interface (e.g. VLANs, wireless interfaces, etc.) Snort will have to scan them all separately, increasing the cpu cycles required. A reason for choosing LAN is that Snort will be able to point out the local client associated with the traffic.

In other words: choosing LAN will inform you which local client is involved while choosing WAN saves cpu cycles if you have more than one LAN interface. Let’s choose LAN; click Add.

Check Enable, set Interface to LAN and fill in a Description.
While testing you could have Snort log to the system logs so you can keep an eye on it: check ‘Send Alerts to System Logs’. LOG_AUTH and LOG_ALERT are appropriate.

If you want to turn your IDS to an IPS check ‘Block Offenders’. It’s up to you which ip you want to block. My personal favourite is BOTH.

According to bmeeks in https://forum.pfsense.org/index.php?topic=61018.0 you can ‘usually safely’ check ‘Checksum Check Disable’ here.

Leave the other settings at their defaults for now and don’t forget to click Save.

You will now find under Sort Interfaces the interface you just created. Click the Edit icon under Actions.

Click LAN Categories, check ‘Use IPS Policy’ and choose one of the IPS Policies. Scroll down and click Save. If you don’t want to use predefined rule sets keep this unchecked. You will then have to manually select which rules to use.

Under Services > Snort > Interfaces, under Snort Status click the start icon.

Your Intrusion Detection and Prevention Service is now operational!

Find your alerts in Services > Snort > Alerts and your blocked addresses under Blocked. I suggest you keep an eye on these pages for a while to finetune your settings. The alerts can be a bit cryptic; just Google them.

To stop a rule from sending alerts and causing blocks click the Force-disable icon under the rule’s SID.

I’m also using the free (as in free beer) Emerging Threats rules, which isn’t devided up into three easy categories like Snort’s rules. To see what you need takes a bit of attention. Keep an eye on the Blocked and the Alerts page and if something isn’t working that should, find the SID of that rule.

In the LAN interface (in this case) click the Rules tab and select the corresponding category.

Find the SID (press Ctrl+F and paste the SID you copied). You can disable that rule here.

If you feel the rules are not approprate for your network you can disable the complete category: in the Snort interface click the Categories tab and deselect that category.

Click Save and wait for the page to reload.

Go back to the Snort Interfaces tab and click the Restart icon for the interface you edited.