Open in app

Sign in

Write

Sign in

Configuring custom rules in Snort for Network Monitoring on PfSence Interface for Your Cybersecurity Home Lab

IritT
8 min readNov 27, 2024

--

Snort is a powerful open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) that monitors and analyzes network traffic for suspicious or malicious activities. Combined with pfSense, a popular open-source firewall, Snort becomes an invaluable tool for securing your network.

Step 1: navigate to the Snort section of pfSense.

Step 2: Open the edit option for the WAN interface.

Step 3: In WAN Rules need to select “custom.rules” in the category dropdown,

Step 4: Adding the custom rule set for the WAN interface after need to save

alert icmp any any -> any any (msg:"ICMP traffic detected"; sid:1000001;)
alert tcp any any -> any 22 (msg:"Multiple Failed SSH Login Attempts"; flow:to_server,established; content:"Failed password"; detection_filter:track by_src, count 100, seconds 60; sid:1000022;)
alert tcp any any -> any any (msg:"Possible SSH Scan"; flags:S,12; detection_filter:track by_src, count 100, seconds 60; sid:1000002;)
alert icmp any any -> any any (msg:"Possible Ping Flood"; detection_filter:track by_src, count 100, seconds 60; sid:1000003;)
alert tcp any any -> any any (msg:"Possible TCP Null Scan"; flags:0; sid:1000004;)
alert icmp any any -> any any (msg:"Possible ICMP Sweep"; detection_filter:track by_src, count 50, seconds 30; sid:1000005;)
alert tcp any any -> any 80 (msg:"Possible HTTP DoS Attack"; flow:to_server,established; content:"GET /"; threshold:type both, track by_src, count 50, seconds 10; sid:1000006;)
alert tcp any any -> any 443 (msg:"Possible SSL Scan"; flow:to_server,established; content:"GET /"; detection_filter:track by_src, count 100, seconds 60; sid:1000007;)
alert tcp any any -> any any (msg:"Possible SYN Flood"; flags:S; detection_filter:track by_src, count 100, seconds 60; sid:1000008;)
alert udp any any -> any 53 (msg:"DNS Amplification Attack"; content:"|00 00 29|"; sid:1000009;)
alert tcp any any -> any any (msg:"Possible TCP SYN Scan"; flags:S; detection_filter:track by_src, count 100, seconds 60; sid:1000010;)
alert udp any any -> any any (msg:"Possible UDP Scan"; detection_filter:track by_src, count 100, seconds 60; sid:1000011;)
alert ip any any -> any any (msg:"Possible IP Scan"; detection_filter:track by_src, count 100, seconds 60; sid:1000012;)
alert tcp any any -> any any (msg:"Possible TCP FIN Scan"; flags:F; detection_filter:track by_src, count 100, seconds 60; sid:1000013;)
alert tcp any any -> any any (msg:"Possible TCP ACK Scan"; flags:A; detection_filter:track by_src, count 100, seconds 60; sid:1000014;)
alert tcp any any -> any any (msg:"Possible TCP Xmas Scan"; flags:SF; detection_filter:track by_src, count 100, seconds 60; sid:1000015;)
alert tcp any any -> any 80 (msg:"Possible SQL Injection Attempt"; content:"' OR 1=1 - "; http_uri; nocase; sid:1000016;)
alert tcp any any -> any any (msg:"Possible Nmap Scan"; flags:SFU; detection_filter:track by_src, count 100, seconds 60; sid:1000017;)
alert udp any any -> any 53 (msg:"Possible DNS Exfiltration"; content:"example.com"; sid:1000018;)
alert ip any any -> any any (msg:"Possible DDoS Attack"; detection_filter:track by_src, count 1000, seconds 60; sid:1000019;)
alert tcp any any -> any 80 (msg:"Access to Suspicious Website"; content:"example.com"; http_uri; sid:1000020;)
alert icmp any any -> any any (msg:"Possible Ping Sweep"; detection_filter:track by_src, count 50, seconds 30; sid:1000021;)

1. ICMP Traffic Detection — Detects any ICMP traffic, which is commonly used for ping requests and other network diagnostic purposes.

alert icmp any any -> any any (msg:"ICMP traffic detected"; sid:1000001;)

2. Multiple Failed SSH Login Attempts

Detects multiple failed SSH login attempts (commonly used in brute force attacks).

Tracks failures by source IP over a 60-second period.

alert tcp any any -> any 22 (msg:”Multiple Failed SSH Login Attempts”; flow:to_server,established; content:”Failed password”; detection_filter:track by_src, count 100, seconds 60; sid:1000022;)

3. Possible SSH Scan — Detects a potential SSH scan (scanning multiple SSH ports or systems).

This rule triggers when SYN packets with specific flags are seen in quick succession.

alert tcp any any -> any any (msg:"Possible SSH Scan"; flags:S,12; detection_filter:track by_src, count 100, seconds 60; sid:1000002;)

4. Possible Ping Flood — Detects ping flood attacks, where a large number of ICMP requests are sent in a short period.

alert tcp any any -> any any (msg:"Possible Ping Flood"; detection_filter:track by_src, count 100, seconds 60; sid:1000003;)

5. Possible TCP Null Scan — Detects a TCP Null Scan, which is often used to evade firewalls and intrusion detection systems by sending packets with no flags set.

alert tcp any any -> any any (msg:"Possible TCP Null Scan"; flags:0; sid:1000004;)

6. Possible ICMP Sweep — Detects an ICMP sweep, which is a method to identify live hosts on a network by sending ICMP echo requests.

alert icmp any any -> any any (msg:"Possible ICMP Sweep"; detection_filter:track by_src, count 50, seconds 30; sid:1000005;)

7. Possible HTTP DoS Attack — Detects HTTP DoS attacks where multiple HTTP GET requests are made to the server in a short period.

alert tcp any any -> any 80 (msg:"Possible HTTP DoS Attack"; flow:to_server,established; content:"GET /"; threshold:type both, track by_src, count 50, seconds 10; sid:1000006;)

8. Possible SSL Scan — Detects an SSL scan, which typically involves checking SSL-based services like HTTPS.

alert tcp any any -> any 443 (msg:"Possible SSL Scan"; flow:to_server,established; content:"GET /"; detection_filter:track by_src, count 100, seconds 60; sid:1000007;)

9. Possible SYN Flood — Detects a SYN flood, a common form of Denial of Service (DoS) attack where many SYN requests are sent without completing the handshake.

alert tcp any any -> any any (msg:"Possible SYN Flood"; flags:S; detection_filter:track by_src, count 100, seconds 60; sid:1000008;)

10. DNS Amplification Attack — Detects a DNS amplification attack, where the attacker sends small queries to DNS servers to get larger responses, amplifying traffic to the target.

alert udp any any -> any 53 (msg:"DNS Amplification Attack"; content:"|00 00 29|"; sid:1000009;)

11. Possible TCP SYN Scan — Detects a TCP SYN scan, which is often used in port scanning activities.

alert tcp any any -> any any (msg:"Possible TCP SYN Scan"; flags:S; detection_filter:track by_src, count 100, seconds 60; sid:1000010;)

12. Possible UDP Scan — Detects a UDP scan, which can be used to identify open UDP ports on a target system.

alert udp any any -> any any (msg:"Possible UDP Scan"; detection_filter:track by_src, count 100, seconds 60; sid:1000011;)

13. Possible IP Scan — Detects a potential IP scan, commonly used by attackers to identify active devices on a network.

alert ip any any -> any any (msg:"Possible IP Scan"; detection_filter:track by_src, count 100, seconds 60; sid:1000012;)

14. Possible TCP FIN Scan — Detects a TCP FIN scan, another technique used to bypass firewalls and intrusion detection systems.

alert tcp any any -> any any (msg:"Possible TCP FIN Scan"; flags:F; detection_filter:track by_src, count 100, seconds 60; sid:1000013;)

15. Possible TCP ACK Scan — Detects a TCP ACK scan, which is used to map out firewall rules or detect open ports.

alert tcp any any -> any any (msg:"Possible TCP ACK Scan"; flags:A; detection_filter:track by_src, count 100, seconds 60; sid:1000014;)

16. Possible TCP Xmas Scan — Detects a TCP Xmas scan, which uses unusual TCP flags to detect open ports or services.

alert tcp any any -> any any (msg:"Possible TCP Xmas Scan"; flags:SF; detection_filter:track by_src, count 100, seconds 60; sid:1000015;)

17. Possible SQL Injection Attempt — Detects a SQL injection attempt in HTTP requests, specifically the common ‘ OR 1=1 — injection used to bypass authentication.

alert tcp any any -> any 80 (msg:"Possible SQL Injection Attempt"; content:"' OR 1=1 - "; http_uri; nocase; sid:1000016;)

18. Possible Nmap Scan — Detects Nmap scans, often used for network discovery and vulnerability assessment.

alert tcp any any -> any any (msg:"Possible Nmap Scan"; flags:SFU; detection_filter:track by_src, count 100, seconds 60; sid:1000017;)

19. Possible DNS Exfiltration — Detects DNS exfiltration attempts, where data is covertly sent through DNS queries.

alert udp any any -> any 53 (msg:"Possible DNS Exfiltration"; content:"example.com"; sid:1000018;)

20. Possible DDoS Attack — Detects a DDoS attack, where a large amount of traffic is generated in a short period.

alert ip any any -> any any (msg:"Possible DDoS Attack"; detection_filter:track by_src, count 1000, seconds 60; sid:1000019;)

21. Access to Suspicious Website — Detects access to a suspicious website (example.com), which could indicate malicious activity or exfiltration.

alert tcp any any -> any 80 (msg:"Access to Suspicious Website"; content:"example.com"; http_uri; sid:1000020;)

22. Possible Ping Sweep — Detects a ping sweep by monitoring ICMP traffic from a single source IP.

alert icmp any any -> any any (msg:"Possible Ping Sweep"; detection_filter:track by_src, count 50, seconds 30; sid:1000021;)

These rules are specifically crafted to detect various types of network intrusions, including:

ICMP Traffic Detection: Detects general ICMP traffic, typically used for pings and network diagnostics.

Multiple Failed SSH Login Attempts: Detects brute-force attempts on SSH services by monitoring failed login attempts.

Possible DDoS Attacks: Identifies signs of Distributed Denial of Service (DDoS) attacks based on the volume of incoming traffic.

SQL Injection Attempts: Detects SQL injection attempts within HTTP requests, which is a common attack vector.

Step 5: Save and Apply Rules

  1. After adding the custom rules, click Save to apply the changes.
  2. Ensure that the Snort service is running by checking the status page on pfSense. The rules should now be actively monitoring traffic on your WAN interface.

Real-World Example:

For instance, if someone attempts a brute force SSH attack on your network, Snort will trigger an alert such as “Multiple Failed SSH Login Attempts,” which can be used to take immediate action, such as blocking the attacking IP or further investigating the source.

Expected Results:

Once configured, Snort will analyze traffic on the WAN interface of pfSense and trigger alerts whenever suspicious activity is detected based on the custom rules you’ve set up. These alerts will help you understand what is happening in your network and take appropriate action.

Additional Considerations:

  1. Rule Customization: These rules can be customized based on your specific network needs. For example, you might adjust the detection thresholds or modify the content patterns for certain attacks.
  2. Performance Impact: Be mindful of the number of rules and their complexity, as a large number of rules can impact system performance. Test and fine-tune the rule set for optimal performance.

For more detailed information, you can refer to the official Snort documentation: Snort Documentation.

This configuration will significantly improve the security of your network by providing visibility into suspicious network activities.

--

--

IritT
IritT

Written by IritT

92 Followers
6 Following

In the world of cybersecurity, the strongest defense is knowledge. Hack the mind, secure the future.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams