How To Setup Your Own IDS/IPS in PfSense With Snort

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone thanks for checking out another infosec hub video today we're going to talk about installing and configuring snort and what snore it is snort is a intrusion detection and an intrusion prevention system that can be installed on top of p of sense and i'll show you how to do it by the way i just updated this dashboard with you have various widgets here whatever you need maybe you want to see openvpn if clients are connected or anything like that i just opened here with traffic and what kind of interfaces i have and the system information so now we don't have snort running yet so 24 of memory is in use and the cpu is idling at around two to three percent so that will change as soon as snort will be installed and all those rule settings will be loaded to this machine because it's quite um it's quite heavy on the memory usage so keep that in mind in this particular tutorial um peace sense is running inside a virtual box and i assigned only one gigs of ram to it so this probably not enough but we'll see how far we can get without any further ado snort doesn't come standard because this kind of still is kind of a clean install but we need to fetch it ourselves by going to packet manager uh here you have an overview of the installed packages and the available packages you go here and you basically just search snort so this is the version store is an open source network intrusion prevention and detection system ids ips combining the benefits of signature protocol and anomaly-based inspection this is a really really neat feature so confirm it and it will install and grab the package over the internet sometimes this will take a while so the installation of the snort package is complete um okay fine great you can find it here under services and then we go to snort and here you have a snort interfaces global settings updates alerts blocks past lists but we first need to setup set it up on an interface and that's going to be the wan interface so enable this interface we use the when not lan description just keep it at when or you can fill in your own description here uh alert settings set alerts to the system lock send snort will send alerts to the firewall system lock default is not checked block settings okay um i would i would uh turn this on yes it will create a lot of noise and intrusion detection system will create a lot of noise so you will have big logs but to just to determine how effective the rules are that you will later implement because out of the box it's it's a lot of tweaking you want to see what kind of logs the system produces and on yeah on that kind of knowledge you can fine-tune the system so i would check this box um let's see enable packet capture [Music] no i would keep it like this search method okay save then we go to when categories when rules custom rules let's see the global settings this is this is where it gets interesting so snort is an in intrusion detection and an intrusion prevention system the power of this package is really in the rules and what our rules um rules are kind of attack signatures right it's like every attack um at a certain port with a certain protocol has a unique set of signatures uh and you can you can make sure that it will be downloaded so this way you can register for free rules here i'll show you so you can you can sign up just create an account here and you'll get a oink code and you need this code to be able to be identified for snort as a user as a unique user uh and you need his own code just to be able to download these uh rules that come from this community uh you either have the the free registered user rules or you have the paid ones if you for instance run inside a business that have more critical um assets that needs to be protected and you see these prices are not very cheap but this is great technology guys i'm telling you so if you sign up for an account then you can set in here the oink master code and this will enable you to uh yeah to download those kind of rules so we also have the gpl community rules tick that box as well um the emergency threats et rules tick this box as well or if you have et pro you have an account you can here click this one and i will open app id opel app id detectors is about applications let's see update interval this is not good because then you will never get new rules um i would i would daily have a check and you can for instance specify five o'clock in the morning just before the working day basically or whatever time you want what's what's yeah what would fit you best um remove blocked host interval please select the amount of time you would like host to be blocked uh select the day so for instance if something happens on your network based on the rule set looks shady then this client that our host it cannot connect to your network for for a day you can also set it 15 30 minutes it really depends on what kind of environment you're running it but let's say for instance you use it at home as your as your firewall ids ips i would select one day so save updates so it's not enabled it's never been downloaded so that's i'm not sure if i can do this because i didn't fill in the oink code here uh but if you do have an oink code i do have one i can copy paste it just to show you but then you are able to update these rules now it will probably not be able to update anything because i didn't open i didn't copy paste the oink master code there you really need to set up an account then you can download these rules i'll close it for now you have alerts and a block list and i have this image from a live environment this is what you will actually see when traffic runs through it so you see what kind of protocol has been used udp tcp what the source ip is and the destination ip is my own ip address that's why i uh yeah here i i removed it um you can just suppress this one to the to a white list or to the suppression list if this is a false positive basically you can add it and this shouldn't pop up anymore here you see mesh attack so it can be anything and it's only been identified based on a specific rule so i hope that makes sense these signatures those are the rules those attack signatures that's what you will download in p of sense so let's see what else here we here have passed lists we can suppress ips we have ip lists uh let's go to the snore interface so you see we just set it up we click this and then we start snort on this interface at this moment is disabled so now it will load it is loading right now you get this icon here we'll go back to see if i can show you more later just a second uh we go back to the main page all right [Music] um now we see memory in use a little bit higher but those rules haven't been loaded even yet i don't even think i can you you need at least four gigs just to be safe if you use this in a live environment with many clients because those rules there are thousands and thousands of lines of code that you have to load into the memory basically so see if we have another dashboard here do we have snort sensors do a look over it interface firewall logs for instance we can add a new widget here and then you have an overview of what's happening and this is actually when you go to the alerts what you saw earlier you have an overview of this and this is from a live environment but at this moment in my virtual machine no traffic is running through so here you have some firewall logs okay snort alerts you will see this in a live environment let's go back to snort so we go to the global settings and okay it hasn't been saved you need this this code so here you see an overview of the installed rule sets on this very moment we also have the snort subscriber rule set gpl emerging threads you can add many more of these lists and they will be frequently updated by by a very big community um and it's totally free and it's it's fantastic but i have to just warn you uh here with alerts or blocked you can see what's happening and why are certain things blocked and you can suppress ip addresses port numbers things like this because out of the box you will see sometimes things will not work i remember in the beginning i could visit youtube and at a certain moment that then a video wouldn't play anymore i had to go through this list here and then i see the ip and i can i can look up with this one i can look up and i see oh this is this ip connected to youtube.com the domain and when i suppress it and i save it then it works again so um you have to do some testing you have to do some testing and you have to uh be uh aware that on the on the network things will happen that you are not uh not gonna you know you didn't expect that but it's always easy to go back and we go to the snort interface and we turn it off again right if you have time then you can sit down here and people in the house or in the office can just go ahead and you will you will see what's happening what's on the network and you can suppress certain ips um but it takes time to make sure that these uh settings are fine because you're gonna get a whole bunch of rules all right so here these are all the basics the updates of the rule sets it said is a success but it didn't fetch anything yet you can force updates as well this will take a while but you need the code which i said before alerts blocked the pass list the suppress list the ip list sid management enable automatic management of rule state and content using configuration lists there's a whole other things that are possible here log sizes retention of logs the log limits and sizes of mbs logging is really something that you need in the beginning just to make sure that all the false positives will be out of this system before um you can really see its value and again going back to this um this is just happening you see the time it's it's not happening every minute but it really depends on what kind of traffic is is going through there uh in this live environment snort is already running for i think three years so most of the bugs are out there but you have to realize that these lists will be updated every 24 or 48 hours depending on your own needs and it can introduce some bugs again so just keep that in mind this is one of the most extensive packages inside of pfsense i hope this was it was clear on how to set it up and where you need to look at of course you set it up on when because it is at the edge of the network it is the the van port that goes to the internet and all the attacks will land on the vanport and try to go to the land so you set it up here at one most important get the code subscribe and enable all these rules you can set it up and again if things are not working uh the way you want it you can always stop it and then later on based on this block and alert list suppress certain ips i hope that was clear if you have any questions for me please let me know and we try to get back to you as soon as possible thanks for watching this video and we hope to see you guys in the next one

Info

Channel: InfoSec Hub

Views: 1,445

Rating: undefined out of 5

Keywords: pfsense, open, source, firewall, IDS, IPS, intrusion, detection, prevention, system, how, to, setup, inside, in, virtualbox, rules, rule, download, oinkmaster, key, free, signature, attack, overview, false, positive, positives, tutorial, supress, ip, port, address, number, misc, snort, community, updates, update, secure, WAN, LAN, network, security

Id: OoiY5tx7Ol4

Channel Id: undefined

Length: 14min 43sec (883 seconds)

Published: Sat Oct 30 2021