Tutorial, Setting up Snort On pfsense 2.4 With OpenappID

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Im on pfsense 2.4.2 with the latest snort package and I don't have the policy option.

👍︎︎ 1 👤︎︎ u/zveroboy152 📅︎︎ Jan 24 2018 🗫︎ replies

Captions

so the folks over at net gate have been busy along with the folks over at snort making some updates now I had done an in-depth review of sericata because I really enjoy the product and I really liked it and at the time it seemed to have a few advantages but since this latest round of updates the snort is looking much better and so I've been doing some testing with it for a little while and it's why it took me a minute before I could get the video but one of the things that's really cool is the application detection that it has in here as well so we're gonna cover this open app ID what it is and essentially I'll leave links to this but it's the ability to actually look at the application layer at layer 7 and identify certain applications that are running inside the system now this is really cool to bring a window over here real quick and this is just a quick glance of toms dot house and seeing it running there and what you're looking at here is all the different things for example it sees Netflix what else do we have here Oh Zynga I can tell you already that's my wife's phone right there except it's fun having this at home so I can actually see the different things that picks up the fact that is running Zynga she plays I don't know some clicker game on her phone but AM baby by them we got Netflix we got Chrome updates so it's really interesting we having this application ID on yours this is you know the end result what it looks like but of course you guys want to know how did we get here how do we load it and of course that's what I'm going to cover for you is get you the details show you how to set it up and some basic settings and concepts with snort I'm really impressed with it I may be switching sericata myself with this latest version I've been testing it at home for a while where it's a less critical environment and it's nice because it requires less effort than sericata did to get it tuned they've Filton some really nice features that kind of gets you up and running without having to do as much tuning as you do because tuning is the hardest part of any intrusion detection system because the concept is you have a lot of rules and then you people want to go crazy and turn them all on and in turn blocking on and then you have an unusable network until you spend a whole lot of time tuning in is something I covered in sericata was you know enable the rules kind of on as-needed basis and figure out which ones are important and in turn on blocking and then you have to kind of maybe set the network and tune it and if it's hard for me to switch because I spent so much time tuning sericata but the fact that snort comes kind of out of the box fairly tuned you know I've been really impressed with it that's pretty cool so let's dive into this now there is an updated guide including the application ID for the doc dot pfSense I'll leave a link to that they've got lots of the details here I'm not going to read it to you because what fun would that be but they've they've done a good job in keeping up with the documentation so they did add some screenshots for application ID and some of the other things we're gonna be covering all right this is my clean load lab of PF sense so first thing we got to do to it well I can't say 100% clean because I've configured it for external access its way an IP which is in my network is 398 and then on the land side is 40.1 not super relevant but yes in case people are asking it's not a true when external IP that's because this isn't a lab so all this is simulated just gotta get that out of the way because I don't think I've posted a video where someone doesn't see that and they it becomes one of the first comments that's not actually an external IP I know so this is configured set up and allowed for external LAN access so I can pass data through it and do this type of testing and we're going to go to package manager available packages we type in snortch we hit install we hit confirm it runs suits so this this part of it hasn't changed all right snorts installed that's that part like I said pretty straightforward here because services snort and we got to get it set up now by default out of the box nothing's configured you do have to enable things in snort global settings the first thing you do is what we're gonna get some rules and this is to enable the snort VRT free registered or paid subscriber rules sign up for a free account and I'm not gonna show you how to sign up for a count but this is where you get it I'm already logged in I would click on that and get my snort ID for you but you can't have mine you gotta go get your own it's free you get an email if you want to sign up for the paid ones they have the paid subscription so if you want to buy some personal rules or business rules or something you know become a distributor they have all that information on here now the reality is the rules are the sauce that makes all of this work so they're really important and supporting some of these projects are important as well that's why they want money for them because there's a lot of time effort and thought that goes into creating rules so you have the product itself here but the intelligence of the product comes from having these rules to identify and apply those that information to the traffic passing through here in order to make it function at all and now you do have some GPL community rules we're gonna able those I'm gonna put my own code in here in a second but that's gonna get blurred out I'm gonna oh and Abel the et open or you can also sign up for an ET Pro account then we're gonna check the enable download of SourceForge open app ID detectors because we want to use that and right here as well so these are the ones you need to turn on and download those rules update interval unless there's some critical reason for it set it to 24 hours unless you go man I really need all the rules I'm gonna hide deprecated rule categories and if you are pulling from sources that don't have SSL verification you can check this too if you have a set if it's pulling from a source with a self-signed certificate now blocking you may or may not want to do this if you do this you're gonna have to actively kind of do some babysitting with your firewall because if you turn on blocking and it blocks everything it in here and you're not done tuning things a little bit you may have a lot of angry people on the other side of the network or just block yourself out of doing things this is the interval for removal you probably don't want it never and what it is is something gets blocked how long before it falls off the block list so I'm just gonna study here to 30 minutes and then we're gonna go ahead and hit save all right I had saved I also cut out the part where I put in my snort master code that I got just the free registration one so we're gonna go ahead and update the rules because as you seen none of them were downloaded and none of them are updated so the first thing we need to do is well we got to get the rules all right how depending on speed of your connection speed of your system results may vary but this is all the rules are up to date and are up to date as of right now and now they're automatically on the auto auto get new rules update so let's go over here sort interface cuz now we have to add an interface to it in order to get things set up so we're gonna go ahead and add enable interface win that's fine and able splitting of any port group we're gonna leave this at default search optimized we'll go ahead and enable search optimization on there scroll down all this looks pretty good gonna and hit save still some more editing probably should've jumped over to categories resolve flow boats yep now this is where you can get yourself in trouble if you want to do this individually and let me give you an idea of how many rule sets these aren't the rules these are the rule sets and then on this page here under way and rules these are all the individual rules so you can play with it and fine tune and turn on and off things and that's that's all fun in what you do when you set these rules on is there it goes through it has the rules and you individually as you decide if you want them in the logs you okay okay enable this enabled NC works just like it doesn't sericata you can just say go ahead and forget that role or enable it and that gets to be really really tedious let's come back to why I like snortin what they're doing now we're gonna go ahead and use the IPS policy we're gonna go ahead and set it to security and I can ignore all this down here because what that's doing is if checked nort will use rules from one of the three predefined IPS policies so we're gonna go instead of to a higher level one and they describe it all down here connectivity blocks most threats with you or no false positives a good starter policy it is speedy good based coverage level and cover small struts of the day it includes rules connect in connectivity security is a stringent policy it contains everything and the first two policies plus rules such as flash object now sell file and then we have balance it's kind of the middle so you can go full security or bounce we're gonna go ahead and go full security on this go ahead and save alright so that parts can figure it out now let's go over to the when preprocessor when you're in here whether or not you want to enable performance stats default does not check but this can if you want to do some logging or performance when you're digging through the rules auto rule disable I have found this helpful at times if parts of rules aren't working properly you don't have this checked it makes snort give an error on whichever rule if you do this auto rule disable it goes okay that part of the rules connect to another rule that's not functioning so we're gonna go ahead and just disable that part of the rule that seems to fix a lot of little bug issues I've run into with that so that's a I've seen some even forum posts on this exact topic that's that's checked and that solves it now here's the thing it wasn't doing it then I started doing it when I got one of the rule sets so I results may vary but auto disabling seems to fix that now we're gonna scroll down through all this and leave all this set default unless you have some reason that you want to play with all these little things we're jumping down here to the enable for the application ID so we're gonna enable that and able open up the app ID statistics and logging so all that's on there now you can also do this if you want so you can any use port scans detection to get very types of port scans and sweeps will go ahead and enable it do you really need it it's up to you if you just want to know someone scanning you the reality is it creates a lot of noise this is the fun things IDs gives you a lot of insights IDs can create lots of noise because at any given moment there's a whole lot of scans going yeah so if you want to see who's scanning you whatever but it's not the most valuable information because there's also some of the other tools out there that are just going around the web scanning in general to see if things are up and learning what things are so it is kind of a noise thing if you want to check it and learn more definitely if you have blocking on don't turn that on because everything has scanned you blocks lots of things just do lots of probing so we're gonna hit save we'll save these settings here all right now the rest of them you don't really have to worry about in detail unless you're having some problems in a separate tutorial that I'm going to get to is I've been playing around with setting it up in case you're wondering what this is you can export and it's really cool there's some NEETs things where you can enable all the logging to go out put it to something more in-depth that gives you takes all these logs and actually creates like cool interfaces with them that's a project I'm working on I just not that good at that yet and I need to work on that tutorial so for those wondering or say why aren't you've done it yet it's in the works it's a big project and it's something I'm working on because it's it's complex but I want to make an in-depth tutorial on how to set that up because trying out of the box a little bit difficult but yes it does support even if you're running this inside of pfSense external logging servers that will allow you to create like dashboards essentially in in IDs information dashboards I'm looking for one that if someone knows the complete one it can email me when like oh yeah this is fairly turnkey to plug in great I've been looking at some of them and they don't seem quite so turnkey now back to the very first interface here send alert system to logs and block offenders this will start blocking the offenders no need to do that right now what you can do is turn it on and see what shows up on there and determine whether or not you want to turn on blocking later because you can start suppressing and ignoring things we're gonna cover how to do that so you can say okay these are some false positives get that cleaned up you Frasier and I'm blocking or you'll end up with a semi broken Network or maybe you liked doing it that way you want to learn the hard way that's the way you can do it - it's your network it's open source you have a chair way like Burger King sets so now we're gonna go ahead and see that snort is stopped on Wayne and we'll start it on land and watch it spin and if everything went well it'll start right up success it does take a second and start i fast-forward some of those things because no one wants to sit there and if you go to here system general that's where it's loading all the logs to tell you everything that it's doing in a way it goes in case you're wondering because someone may ask us yes this is running virtually and actually specifically in XenServer which i've talked about before virtualizing pfsense in my home virtualization lab tour snort doesn't seem to care that it's running in that it has not caused any problems for me at all so i know it runs fine in real-world hardware and it's you shouldn't find out in this but we will note this as well i only have two gigs of ram in this virtual machine and running that right there snort what the rules loaded you're looking at about half the ram it jumps up quite a bit a big piece of this is running snort so it is a little bit more memory intensive if you have less than a gig i think you're gonna have some problems you'll run right on the edge because there's really nothing going on for network traffic but even in my computer at home with all the computers behind it i've seen it get up there to about a gig and a half of usage running snort that's something to consider throw at least four gigs of ram and error and scale upwards if you're running a larger corporate network for gigs should be fine for a you know smaller network but as you get a really large number a lot of people snort is both in any intrusion detection system is both very memory intensive and very processor intensive because you're trying to process all the traffic so it scales up and it could be a limiting factor if you have a really slow machine this is an advantage that as i understand from the back end of way sericata was designed because this mo has more threads that can run simultaneously that it's supposed to be little bit more efficient and it's something I come into a sericata but I believe they've added a lot of efficiencies to startin to my knowledge though they still haven't become multi-threaded but I could be wrong about that I didn't really see anywhere so what Noah's leaving the comments and let me know and I'll make that little note inside the cop inside the description alright so it's running and now what well let's cover here snort and let's look at alerts alright honey nothing nothing exciting here so let's go create some alerts and I know I can do it from the command line but I'm lazy and this is clickable I mean I love command line but sometimes it's nice just to click and stuff we're gonna go ahead and do theirs the IP address 398 and we'll go ahead and do an intense scan here and just beat this thing up so it's sending out lots of intense scan let's go ahead and Auto refresh and this is still going give it a second here she make sure all this is working anyway it's supposed to yep it's on security these are the rules that are enabled right now so great those are the ones no alerts no nothing and that's because we're just doing a pretty basic scan not actually doing anything so you can see it didn't do anything so let's let's try this again so we're gonna go ahead and stop it now like you don't have to stop it but I found that if I stop it it goes faster because it'll stop itself when you do these rule changes for this because I'm unchecking this and checking this so we're gonna go ahead and uncheck this now hit save you'll see why here in a second save and by not having it running it allowed me to select all if it's running you have to do it twice so and each time it wants to reload the rules and pauses while it reloads the rules each time that's why I stopped it so it's not that it breaks anything it just it's slower so now let's load all the rules so it just goes crazy with alerts so the first time we're doing the automatic rules but we as you notice didn't check the notice every time a porch scan so here's all the rules checked and every one of them here so go back to the interfaces we'll go ahead and start the interface and you can see the CPU just loading it's loading in this tab and you can see it's loading up here and it's still loading the tab and now we're all the way up to 72 per 70% of memory you see the memory usage goes up quite a bit when you load that many rules in so there's another thing that happens so it's running and you can see already we're getting all kinds of alerts in here just because it sees activity going places so almost every activity starts becoming an alert now the way you suppress an alert to start creating your filters is this little box here says force disable this rule remove it from the current rule set so we'll go ahead and do this because I know it's not really a threat it's just checking a website and now it's got to run and reload these rules again and there's the pause and it's going to disable this particular rule and hopefully we won't get any more alerts and here comes some more things this is just things running on the network because I'm talking to it now if we really want to fill it up we go back over here pull up some map again and we hit scan so this is scanning away make sure we go here too because we're gonna see the processor usage and then as this goes up as it's just second this is just a scan not data passing short if I pass data through it while this goes up even more it didn't have too many more alert just a couple more but you can see when you have this completely on you start getting nice now if I actually have this externally facing you would have a ton of rules so you have to go through and tune each rule and that like I said can be very tedious so we're gonna go ahead and stop this over here and actually let's jump over to my house again now let this one's configured and I'm using the same basic premise here we got all the rules enabled on the land side no blocking and this is like I said at my house where I know there's people at my house the kids and a wife or home and probably playing with stuff and this is where you can see and I if you did yes it is on the land side because I want to see the internal not external IPs of I want to go from inside out you can do this on both snort you can look at internals you can look at externals this way you can dig into this and like I said it's giving me that information it's giving me the different things that are going Netflix chrome protocol and at the same time because it's identifying everything because I said basically watch everything and just notify me that's what's giving us these things like this application ID and stuff like that so kind of gives you an idea how snort works and how you may prefer to have the all the rules using their pre-configured rules to find makes it a lot easier and playing with the pre confined rules at home I think I have it set up in here and I get this one so turn on for this what I've been playing with it very few false positives it's actually a very nice clean system and you know you can go through and still adjust the rules as needed based on the ones they have or you can go crazy and try and see everything in a network now the other nice thing about running this in a lab turning out all these rules can be very handy for trying to figure out what a box is doing so you can turn in everything and try to figure out what's going on in there I actually have some plans in some future videos where I do things like use some of the different probing tools to scan for vulnerabilities and see how this performs and I wouldn't mind at some point doing a performance test between sericata and snort where I can build two lab machines and see which one sees more those are some future ideas I have but hopefully it'll get you started with snort and get you playing around with it and like I said using just the the built-in functionality they have here for the where you just use their use their built-in options connectivity security save done it works really well and get you going so get you playing around with snort and learning here and look for that future video and if you have and if you have some ideas that a future video for how to get the logging externally in something that's nice and turnkey that's not a more complex project let me know and I'd be more than happy to take a look at the products alright well thank you watching and I hope you like to count in here like the subscribe

Info

Channel: Lawrence Systems

Views: 139,165

Rating: undefined out of 5

Keywords: Snort On pfsense, pfsense, snort, firewall, ids, router, tutorial, intrusion, network, ips, rules, detection, openappid, intrusion prevention system, snort (software), infosec

Id: -GgqYq5-EBg

Channel Id: undefined

Length: 22min 14sec (1334 seconds)

Published: Sat Jan 20 2018