Setting Up Snort for Network Monitoring on PfSence Interface for Your Cybersecurity Home Lab

In today’s digital landscape, network security is a top priority for businesses and individuals alike. One of the most effective ways to safeguard your network is by implementing an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). Snort, an open-source IDS/IPS, is a powerful tool that helps monitor network traffic in real-time, identifying potential threats and malicious activity.

By integrating Snort with pfSense, a widely used open-source firewall and router platform, you can create a comprehensive network monitoring solution. This setup enables you to:

1. Monitor traffic for suspicious or unauthorized activity.

2. Detect attacks such as malware infections, port scanning, or denial-of-service attempts.

3. Respond to threats by generating alerts or blocking malicious traffic.

Step 1: Installing Snort on pfSense

1. Access the pfSense Dashboard:

Open your web browser and log into your pfSense dashboard.

Navigate to the Package Manager:

System > Package Manager.

2. Find Snort in Available Packages:

In the Package Manager, select the Available Packages tab.

In the search bar, type Snort and click Search.

Locate Snort in the search results and click Install next to it.

Wait for the installation to complete.

Step 2: Configuring Snort on pfSense

1. Access Snort Settings:

After installation, go to Services > Snort in the pfSense menu.

This will open the Snort configuration page.

2. Add an Interface for Snort:

In the Snort settings, navigate to the Snort Interfaces tab.

Click + Add to configure Snort on a specific network interface.

3. Configure the Interface:

Choose the network interface on which you want to enable Snort ( WAN or LAN).

Configure the following key settings:

Snort Status: Enable or disable Snort for this interface.

Pattern Match: Choose the mode Snort will use for matching patterns in network traffic.

Blocking Mode: Set the mode for blocking malicious traffic, if desired.

4. Global Settings and Rule Updates:

After setting up the interface, go to the Global Settings tab to configure general settings.

In the Updates tab, download the latest Snort rule sets. These rules define the types of traffic Snort will monitor and alert on.

Setting Up Snort on WAN Interface:

You are enabling Snort on the WAN interface (em0).

In the Interface Settings for Snort, you selected WAN as the interface where Snort will inspect traffic.

5. Configuring Alert Settings:

In the Alert section adjust the following:

Send Alerts to System Log: Enable this to log alerts to pfSense’s system logs.

Packet Capture: Enable this to capture packets related to triggered alerts.

Packet Capture File Size: Set this to 128 MB for packet storage.

Enabling Block Settings: Keep the default settings

this option block IPs that trigger Snort alerts. This option we didn't checked in the screenshot but can be enabled if you want Snort to automatically block suspicious IPs.

Detection Performance Settings:

Configured Search Method to use the AC-BNFA algorithm, optimizing Snort’s pattern-matching performance.

You have options to enable settings like Stream Inserts and Checksum Check Disable for performance adjustments if needed.

Network Inspection Scope:

Home Net: Defines the internal network that Snort considers trusted or “inside.” By default, this includes your LAN and local IP ranges.

External Net: Represents external, untrusted networks. Default is to consider all non-Home Net IPs as external.

Saving and Applying Settings:

After configuring these settings, click Save to apply the configurations.

After saving, go back to the Snort Interfaces tab.

Click the green play button next to your configured interface to start Snort.

The interface status indicates that Snort is now actively monitoring and inspecting traffic on the WAN.

Step 3: Shell Access on pfSense:

Now you need to access the shell on pfSense (option 8 from the pfSense console menu) and navigated to the Snort directory (/usr/local/etc/snort/).

This directory contains configuration files and settings specific to Snort. Accessing this directory can allow for advanced configurations directly on the pfSense system if needed.

8
ls
cd /usr/local/etc/snort/

Step 4: Writing and Configuring Rules for Snort

Snort uses rules to detect and respond to potential threats in network traffic.

1. Navigate to the Rules Directory

Open the terminal or SSH into your pfSense device.

1. Navigate to the Snort configuration folder’s rules directory:

cd rules/
ls

The contents of this directory should display individual Snort rule files. If the directory is empty, you need to configure rules.

2. Enable Snort Rules in the pfSense Web Interface

Go to Services > Snort.

Navigate to the Global Settings tab.

Enable Snort Subscriber Rules (VRT):

Check the box for “Enable Snort Subscriber Rules.”

Snort Subscriber Rules provide advanced detection capabilities and are updated regularly.

• We need in Snort rules registration page to create a Snort account.
• Need to enter our email address, create a password, and complete the CAPTCHA to register for access to Snort rules.

After registering, our accessed go to Snort Oinkcode. This unique code is provided by Snort to registered users and is necessary for downloading the Snort VRT rule set.

The Oinkcode is essential for integrating updated rules into our Snort configuration on pfSense.

Copy the Oinkcode and Paste it

We will enable Snort GPLv2 Community Rules, which are free, open-source rules maintained by the Snort community.

Other available options include Emerging Threats (ET) Rules, which contain free and pro versions, and Sourcefire OpenAppID Detectors for application-layer detection.

additional options under Rules Update Settings in the Global Settings.

Options include enabling Feodo Tracker Botnet C2 IP Rules for detecting botnet traffic, and setting the Update Interval and Update Start Time for rule updates.

we can also choose to hide deprecated rules and disable SSL verification during rule updates, though these options are unchecked in the image.

We will keep the the rest on default settings

In General Settings section for Snort on pfSense.

Key settings include:

• Remove Blocked Hosts Interval: Set to “NEVER” by default, meaning blocked hosts will not be automatically unblocked.
• Remove Blocked Hosts After Deinstall: Ensures any IPs blocked by Snort are cleared if Snort is uninstalled.
• Keep Snort Settings After Deinstall: Keeps Snort settings saved even after removal of the package.

Clicked Save to apply these settings.

Final configuration summary in Snort’s Global Settings tab.

We enabled the Snort VRT rules, Snort GPLv2 Community rules, and configured the Oinkcode to access the latest rule updates.

These settings ensure that Snort on pfSense is updated with current and community-sourced rules for effective threat detection.

Step 5: Go to Updates tab in the Snort configuration on pfSense.

Clicked on Update Rules to check for and download the latest rule sets for Snort.

Currently, none of the rule sets (Snort Subscriber, GPLv2 Community Rules, Emerging Threats, etc.) are downloaded or enabled, as indicated by “Not Downloaded” and “Not Enabled.”

After clicking on Update Rules, a dialog box titled Rules Update Task appears.

It will show that the rule sets are being updated, with a loading indicator. This process might take a few moments as pfSense downloads and applies the rule updates to Snort.

When the rule will be updated , it will show Result: Success message

we will see that the Last Update timestamp reflects the latest update time.

The rule sets, including the Snort Subscriber Ruleset and GPLv2 Community Rules, will show an MD5 Signature Hash and a signature date, indicating that these rules have been successfully downloaded and are ready for use.

In the Snort Interfaces tab on pfSense.

It will shows that Snort is configured and actively running on the WAN interface (em0).

The pencil icon under Actions is highlighted, indicating we are about to edit the settings for this interface.

After clicking the edit icon, we are taken to the WAN Categories tab within Snort’s interface settings.

We see options for:

• Automatic Flowbit Resolution: Automatically enables required rules based on dependencies (checked by default).
• Snort Subscriber IPS Policy Selection: Allows us to choose pre-defined policies if enabled.

Below, we see the list of rule categories that Snort can load at startup, where we can select specific categories of rules to enable or disable for monitoring.

If scrolling down we can see detailed view of the available rule categories from the Snort GPLv2 Community Rules.

Each rule category has a checkbox that allows you to enable or disable specific types of rules.

We will set up an ANY-ANY rule that captures traffic without blocking it (we will still see the loge caption)

After choosing the Rule scroll down and save

Now when we go back to the PFSence Machine and do ls

we will see the rule set in the folder

The rules were updated to the default setting

cat snort.conf 

We can see snort configuration

For Adding Rules and configuration we need to Download nano

pkg install nano 

cd ..
ls
nano snort.conf

Replace with the WAN IP/CDR

Save and Exit

Navigate to the Rules Folder and open it using Tex Editor

cd rules
nano local.rules

Enter rule

alert icmp any any -> any any (msg:"ICMP detected from WAN"; sid:1000001;)

alert:

This is the action of the rule. It tells Snort to generate an alert if the rule’s conditions are met.

Other possible actions include log, pass, drop, reject, and sdrop.

icmp:

This is the protocol Snort should watch for. In this case, it’s icmp, which is used for ping requests, echo replies, and other types of network communication often associated with network diagnostics or reconnaissance.

Snort can detect other protocols like tcp, udp, etc., as well.

any any -> any any:

This part specifies the source and destination IP addresses and ports.

any any for both source and destination means this rule will apply to any IP address and any port, making it a very broad rule.

The -> arrow indicates the direction of traffic from source to destination. For icmp (which does not use ports), specifying any any for ports is conventional, as ICMP packets don’t have source and destination ports like TCP or UDP.

(msg:”ICMP detected from wan”; sid:1000001;):

Inside the parentheses are the rule options. These provide additional information about the alert, define the rule’s unique identifier, and configure other rule-specific settings.

msg:”ICMP detected”;: The msg option defines the alert message that will appear in the Snort logs or console. In this case, it’s “ICMP detected”. This helps you identify why the alert was triggered.

sid:1000001;: The sid (Snort ID) is a unique identifier for the rule. The SID is critical for managing and referencing rules.

SIDs for custom rules (ones you create) typically start at 1000000 or higher to avoid conflicts with built-in Snort rules. Here, 1000001 is the chosen SID.

Save and Exit

cat local.rules

Check the syntax for the Snort configuration rule

/usr/local/bin/snort -l /usr/local/etc/snort/logs/ -c /usr/local/etc/snort/rules/local.rules -A console -T

snort: This is the main command to run the Snort program. Snort can operate in various modes, such as packet sniffer mode, packet logger mode, or network intrusion detection mode, depending on the options specified.

-i em0: The -i option specifies the network interface that Snort should listen to for traffic. In this case, em0 is the network interface on which Snort will monitor traffic.

Example: em0 might be your Ethernet interface (wired network). If you want to monitor a different interface, you would replace em0 with the relevant interface name (like eth0, wlan0, etc., depending on your setup).

-c /usr/local/etc/snort/rules/local.rules: The -c option tells Snort where to find the configuration file. This file contains all the rules that Snort will use to detect network activity that matches certain patterns, which could indicate intrusions or other noteworthy events.

In this example, /usr/local/etc/snort/rules/local.rules is the path to the configuration file with custom rules you’ve written or added. This file might include rules that define what kinds of network activities Snort should alert on, such as specific IPs, ports, protocols, or attack signatures.

-A console: The -A option sets the alert mode. In this case, console means that Snort will print alerts directly to the console (the screen).

Other options for alerting could include logging alerts to a file, sending them to a database, or other destinations. Using console is particularly useful for testing because you can see any alerts immediately on the screen.

-T: The -T option puts Snort into test mode. In test mode, Snort doesn’t actively monitor or log network traffic; instead, it checks the syntax and configuration of your rule file and configuration file to ensure there are no errors.

This is especially useful when setting up or modifying rules, as it helps verify that there are no syntax errors in your rule files before Snort begins active monitoring. If there are any configuration errors, Snort will report them in test mode, allowing you to correct them without running into issues during live monitoring.

Create Log Directory if it doesn’t exist.

Ensure Snort has write permissions to the Log Directoryץ

mkdir -p /var/log/snort
chmod -R 755 /var/log/snort

Starts Snort in active monitoring mode

snort -i em0 -c /usr/local/etc/snort/rules/local.rules -A console -l /var/log/snort

-i em0: Specifies the network interface to monitor.

-c /usr/local/etc/snort/rules/local.rules: Points to the rules file.

-A console: Displays alerts on the console for real-time monitoring.

-l /var/log/snort: Directs Snort to use /var/log/snort as the log directory.

Open a terminal window

ping 8.8.8.8

Snort is successfully capturing and alerting on ICMP traffic

Each alert corresponds to an ICMP packet (in this case, a ping) detected by Snort. The alert displays:

Timestamp: The exact time the packet was detected.

ICMP Details: It shows the source and destination IP addresses of each ICMP packet, such as 192.168.19.12 -> 8.8.8.8 and vice versa.

Alert Message: “ICMP detected from WAN” as specified in your rule.

SID: [1:1000001:0], which matches the SID you assigned to the rule (1000001).

Additional Notes

Warning Messages:

You’re seeing the warning message: No preprocessors configured for policy 0.

This means that Snort is running without any preprocessors (like frag3, stream5, http_inspect, etc.) configured. While not essential for simple tests, preprocessors are important for full network monitoring as they help detect a broader range of attacks and reassemble fragmented packets. You can configure these in the main Snort configuration file (snort.conf) if needed.

Testing Success:

The ping command on the left side (ping 8.8.8.8) is sending ICMP packets, which your rule is detecting. This setup confirms that Snort is correctly identifying ICMP traffic.

Log File:

Since i used -A console, Snort is printing alerts directly to the console. If you also want these alerts to be logged to a file, you can specify the logging directory with -l /var/log/snort.

Next Steps (Optional)

If i want to enable additional functionality, such as preprocessors or logging to a file for future review, you could:

Edit the snort.conf file to enable preprocessors, which would expand Snort’s detection capabilities.

Log to a file by using the command:

snort -i em0 -c /usr/local/etc/snort/snort.conf -A console -l /var/log/snort

(where snort.conf includes local.rules and has the necessary configurations for preprocessors).

Your current setup is working well for ICMP detection. Let me know if you’d like guidance on configuring Snort further for additional protocols or functionalities!