I wanted to get everyone's opinion on my PFsense/Snort setup. Its my first rodeo for an IPS so be gentle.
My primary goal is to have others ok this setup for best practices/best configurations, I have used snort guides on the net but some are outdated at this point and several heads are better than one right?
The blotted images are private IP addresses on the logs page. My main concern is that there are large amounts of alert events but not all IP addresses get blocked, which worries me that whatever probing they are preforming is getting through or not being stopped by Snort.
Looks pretty good. You don't need to run snort on both your WAN and LAN interface, it's basically just doing everything twice. It's usually best practice to run it one the WAN interface so packets are processed before they hit the firewall, this is also the reason why you will end up with a lot of alerts as most of what you're seeing would have been dropped by the firewall anyway.
Also I'd recommend using AC-SPLIT for the search method, it has good performance without using a ton of memory. If you have the memory to spare then AC is probably the fastest.
Also with your rules you might want to go through and disable some of them if you just have everything selected, a lot fo the rules are for policy stuff rather than security, so they will block games, or executable files being downloaded or certain content like porn. Stuff like that. For my rules I use the balanced VRT policy which automatically selects rules from the snort rules and everything from the ET rules except: chat, deleted, games, inappropriate, info, p2p, policy, and voip.
As for why something generate an alert but aren't blocked, there is an automatic whitelist which includes the local subnet, your public IP and the gateway IP which will not get blocked, but they will still generate alerts. A lot of the IPs in that screen shot were broadcast addresses so they won't be blocked either and the ones you blurred out are presumable your public IP. Otherwise everything which generates an alert should be blocked, if that's not the case then something is wrong.
Once you have it up and running you're going to get a lot of false positives, especially if you have a large ruleset, so you'll need to go through and disable rules which block legitimate traffic. On the alerts page you can click the X for a rule under the SID column, this will disable that rule. You can also click the + on that column or for a specific IP address on the source or destination columns, this will add that rule or that rule and IP address to the suppression list. Generally if you want to disable a rule completely then click the X as that will disable it and stop if from being processed and using memory, only use suppression if you only want to allow a certain IP address as suppressed rules are still processed but the alerts are ignored.
I guess I should read up on the basics of firewalls, IPS, rule sets and how they work together. I think i remember reading about something how there is an order in which its processed. IE- IPS first, then rule set, then FW, then checks against ACL...so on so forth, but there are sooo many options here it makes my head hurt lol.
In addition, I have decent hardware to run this, its a quad core ATOM and 4GB RAM. With that said what is my best search option you think?
My main goal is to shoot for best security, Snort is watching a separate network I have which does all P2P so I want malicious P2P stuff to get blocked.
You had mentioned that stuff would get blocked like EXEs, certain bad sites etc but Snort doesnt seem to block any of that now, I rely on HIDS to assist with alot of the nasty stuff.
As fpr stuff not getting blocked, I see this on the Alerts tab
For the LAN, Im hesitant to remove it since it has blocked threats in the past, but I do hear you on generally just running the snort on the WAN interface.
Depending on how you've set it up blocked hosts will be removed after 1 hour, so it could be that. I haven't seen a case where some traffic is blocked but others aren't, basically anything on the alerts pages should be blocked unless it's in the white list or suppression list, so if you're seeing blocks then it's safe to assume it's working correctly.
And yes, if you run it on both LAN and wan then you will get alerts for both but that's only because traffic from the LAN is hitting the LAN interface on snort before then going through the wan interface. If you only ran it on wan then it would still be blocked as you're running the same rules against the same traffic, you're just doing twice as much work for the same result.
I would suggest rather than running all the rules instead choose the vrt ips policy and use balanced and then pick some of the ET rules that you think you'll want. A lot of the rules are for policy rather than security and the names can be misleading. For example if It says p2p or chat it doesn't mean it's for securing those things but for blocking them. Whereas dns or SMTP if for security. You can find descriptions of the rules online which will help in choosing which one you want to run.
Also remember that snort won't be able to do anything with encrypted traffic so if you're using https or a vpn then it can't see anything, which might be why the policy rules like blocking .exe files didn't work.
And for four gb of ram I'd use ac-split (in fact I do) I've tried ac and ac-std and I ran in to memory issues with 4gb of ram.
Thanks Kane, much appreciated for your input thus far.
So for now I have disabled the LAN interface with Snort, although I must admit I never understood the difference between the rulesets: ET Open Rules, Snort Text Rules and Snort SO Rules.
Also, how does the Policy portion work between Balanced, Connectivity and Security?
I manage this FW from a static IP, how can I add this IP to the whitelist or suppress list (if there is a difference).
For the blocked hosts, I do see one block from 10/2 which is 2 weeks ago so it seems even if they are blocked for one hour, the log will keep a record (past 1 day) but I do still see public IPs generating an alert from 10/9 but there is no log of it under the blocked tab.
I feel like ive configured this correctly, so im not sure what else I could be missing, my main goal with this is to keep people from probing my network and it seems like for now they are getting away with it because they arent being blocked. Needless to say this does concern me.
The different rulesets are just rules from different sources, You can just use the snort rules if you want as there will be a lot of overlap between them and the ET rules anyway.
If you have something in the blocked tab then it is currently blocked, once it is unblocked it is removed from that tab. The one from 10/2 might keep generating an alert so it's never released from the blocked hosts (remember snort processes packets before the firewall so blocked traffic will still be seen by snort). I think it's safe to assume it's working, if you want you can change the block time to something longer to check that things are getting blocked, just be careful not to lock yourself out. You can also look through the system log or firewall log to see what has been blocked by snort.
I use the balanced VRT policy, it has most if not all of the security rules but none of the policy rules. Connectivity is good if you don't want to deal with false positives. I'm pretty sure the security policy just enables everything.
There's no need to add an IP to the whitelist if it's on you local network. By default all local networks and gateways are on the whitelist. If it's an external IP then you can add it by adding it to a firewall alias and then adding that alias to a passlist. Then selecting that passlist in the snort interfaces options.
A lot of the time traffic will show up as a port scan when snort doesn't know what sort of traffic it is, torrent traffic, especially encrypted torrent traffic as well as VPNs will do this. So don't place too much stock in those alerts. And don't let the quantity of alerts concern you, most, if not all of those alerts would have been blocked by the firewall anyway. There's a lot of noise on the internet.
Haha no, I'm not that articulate :P I'll post some shots of the blocked and alerts tab when I get home. It's mostly dsheild which I think is known bad hosts.
I have four snort interfaces running, one for WAN and the other three for VPN conections. This is the WAN alerts, I have no open ports and most traffic goes though a VPN so everything on here is just noise pretty much.
This is the VPN I use for browsing, there are a few alerts alerts relating to browser exploites. The port scan alerts are false positives caused by pfsense checking the gateway status, the IPs for the gateways and google and opendns servers are all on a whitelist but I still get the alerts.
This one is for my connection to my VPS, I use it for my mail and web servers. This one gets a few alerts for exploits like heartbleed. These are most likely from bots or scriptkiddies.
I dont know how I missed this for almost 2 weeks but I appreciate your screenshots. I dont actually get any threat intelligence/low reputation notices, not sure if you have different rules/cateogies set then me but I did mirror your setup from your previous posts.
I have actually installed pfBlockerNG to block geographic IPs, so thats been my new project.
I actually am setting up a wifi card for this, what do you recommend for IP setup? I have DHCP disabled entirely on my network so this will be no different. I ask your opinion because Logan/Qain did a how to for the wireless card and they set the wireless card with host IP of 192.168.2.265 /32 with the router address of 192.168.1.1 /24
Qain did say this was setup to put it on a separate subnet for security but I will admit my subnetting skills are a bit rusty so I dont see how a 192.168.2.254 /32 could talk to a 192.168.1.1 /24...
That's what a router does. So in pfsense if you set an interface for LAN on one network and an interface for Wi-Fi on a different network then pfsense will allow traffic to be passed between the two networks, but you have to have a firewall rule that will alow the traffic on both interfaces. If you want either network to talk to the other without restriction just create an allow any to any rule. Otherwise you could add a block rule to block traffic between the wifi and LAN network so it will only have internet access.
If you don't want to worry about that you can add the LAN and Wi-Fi interfaces to a bridge interface and they will both then be on the same (LAN) network. If you were to set it up that way you could create the bridge interface and then change the LAN interface from eth1 (or whatever physical interface it's currently set to) to the new bridge interface.
As for you not getting the same alerts as me, you can see which rules I have enabled in a screenshot above but you may just not be being targeted by those IPs. I run a web server and mail server so it would be expected that I would get more port scans and stuff like that.
I don't have a wi-fi card this just connects to a separate AP. In your case you'd set up the physical interface in the wireless tab of the interfaces>assign menu, then assign that wireless interface to a pfsense interface like WIFI or OPT1 or whatever you want to call it (You will already have LAN and WAN). Then you would configure that interface with a static IP like I have in my screenshot. I have a /24 network because I use DHCP and I'd say do the same even if you're not using it.
If you set it up like this then you will also need to create firewall rules for that interface. You LAN by default will have an allow any to any rule but the new wireless interface will have no rules so you will need to create one. The any any rule will allow traffic on the wireless network to access the internet aswell as the LAN. If you want to stop it from accessing the LAN then create a block rule above the any any rule (pfsense processes firewall rules from top to bottom until it finds a match) which will block traffic from any to the LAN subnet.
If you want the wireless network to share the same interface as the LAN network then go to the assign menu and open the bridge tab and create a bridge using the wireless interface that you created and the physical interface which is currently assigned to the LAN (you may have to unassign it first) then go back to the assign page and assign the bridge interface to the LAN.
That's my assign menu just so you know what I'm talking about, once you create the bridge interface it will be available in the network ports and then you can assign it to your LAN interface.
I actually broke out my Network + book last night after about 3 years. I found that I am able to do the math portion of it but Im having a hard time visualizing it in my head.
I am trying to figure out the subnet portion of this so I can understand how the wifi card on a separate subnet can ultimately talk to the router.
I believe from what I can remember that whatever IP address you give it a host it must be in the same network segment of the router.
Rantings aside, I wanted to take an example network and figure out an address I could use for the wifi card. I will bridge this with my LAN as I use my iphone to access resources on my LAN.
Router address: 10.39.3.1 Subnet Mask: 255.255.255.224 or /27
If you're bridging it then it doesn't need an IP address. Currently your LAN interface has an address, which would be 10.39.3.1. When you create a a bridge with your LAN nic and wireless card you will asign that bridge to your LAN interface. Then the bridge will have the 10.39.3.1 address.
You would only need to have an ip for the WiFi if it's on its own interface. In that case the WiFi interface will use an ip that is in the same subnet as the WiFi devices but in a different subnet to the LAN network. In this situation you have three interfaces, WAN, LAN and WIFI. Each is on a different subnet and the router is able to pass traffic between the interfaces and therefore between devices on those subnets.
You are correct about devices on one subnet not being able to communicate with devices on another. But this only applies of those devices are connected by a switch. If you have a router with an interface on each subnet then those two subnets can communicate. But the router must have an interface in each subnet, or a connection to another router with more subnets behind it.
So for example, the three subnets there 11,18 and 19 all with 254 hosts, the router address lies in those 3 subnets so it can route between all three subnets?
PS_ What do you do for work, Sys Admin or something in that ballpark?
No. In that example you have 4 subnets. The router is on 127.16.0.0/16 and the others are 127.16.11.0/24, 127.16.18.0/24 and 127.16.19.0/24
So the router isn't on the same subnet as the other networks. If they were all /16 networks then it would be the same subnet and you wouldn't need to route the traffic anyway.
But that isn't how it works. The router would need to have an interface in each network not just an address which is covered by each subnet. The interfaces don't need to be physical, you can use a single physical interface with several logical vlan interfaces but in this example your router would need three network interfaces each with an address in the subnet it's connected to.
So you would have interface 1 connected to the 127.16.11.0/24 network with an address of 127.16.11.1, interface 2 connected to the 127.16.18.0/24 network with an address of 127.16.18.1 and interface 3 connected to the 127.16.19.0/24 network with and address of 127.16.19.1.
Think of it like a switch, where the switch knows which device is on which port using mac addresses. A router knows which network is on each interface (port) and sends traffic based on the ip address. On a switch it figures out where the mac address is by using arp which is a type of broadcast traffic. Broadcast traffic only works on the subnet that it's sent on. So if you try to communicate with a device on a different subnet the broadcast traffic won't reach that device and therefore the switch won't know where to send the traffic. On a routed bentwood if the destination is not on the local subnet then the device sends it to a router based on a list of static routes or just a default gateway. The router then reads ip address and sends it to the interface which leads to that network, then the switch figures out where it needs to go based on Mac addresses again.
If I was at home I'd have drawn a diagram to help explain that but I'm on my phone at the moment so sorry of that didn't make much sense.
And no, I work in a winery, I just do this network stuff as a hobby :P so this is really just my understanding of it and you should probably take it with a grain of salt.
You can still have a device in your WiFi network access a device on you LAN network when they are configured with separate interfaces. You just need to make the appropriate firewall rules in pfsense.
The advantage of having separate networks is that you can restrict access between devices on each network. The advantage of bridging is that they are on the same network so you can use a single dhcp pool and use things which rely on broadcast traffic like dlna.
Either way will work it just depends how you want to set up the network. I have a separate wireless network for security purposes. If someone sniffs it they can't see what's on the LAN only what's on the WiFi (you can see devices on a wireless LAN even without knowing the password) and if someone does manage to get in they won't have access to anything as only devices I've configures with a static address can get through the firewall.
When you bridge the two interfaces they end up on the same network so you have no access control between the two but it's also easier to configure if you don't want to restrict access.
If you want I can share my firewall rules but they're a little complicated so it might not make much sense.
