34 Network Monitoring – Snort Network IDS/IPS

Julian Romano and Jacob Christensen

This chapter will guide learners to install and configure Snort as an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) for their enterprise network. Many companies may spend upward of tens of thousands of dollars on IDS and IPS devices for their security needs. Luckily for us, Snort is free to use and experiment with.

Learning Objectives

  • Install the Snort Package into the pfSense Server
  • Configure Snort to be an effective IDS and IPS
  • Trigger alerts to test Snort rules against threats



4 screenshots are needed to earn credit for this exercise:

  • Screenshot of GNS3 Working environment once everything works
  • Screenshot of the pfSense GUI page after sign in
  • Screenshot of alert notifications through snort


Contributors and Testers

  • Jacob M. Christensen, Cybersecurity Student, ERAU-Prescott
  • Zeek Correa, Cybersecurity Student, ERAU-Prescott
  • Jungsoo Noh, Cybersecurity Student, ERAU-Prescott

Phase I – Setting up the Lab

The following steps are to create a baseline environment for completing the lab.  It makes assumptions about learner knowledge from completing previous labs.

This lab is an extension of Chapter 31:

Figure 1 – Final GNS3 network
  1. Open GNS3
    1.  Open the lab made in Chapter 31
    2. Save it as a new project: LAB_19
  2. Set up GNS3 as shown in the network diagram above
  3. Start and login to the PC on the Management LAN
    1. Open a browser and type in to connect to the pfSense web configuration page

      NOTE: Remember to use the default creds to login:
      – Username: admin
      – Password: pfsense

      pfsense login
      Figure 2 – pfSense web configurator login page
  4. In the pfSense GUI, navigate to System–>Package Manager to install Snort
    1. Click on Available Packages, search for “snort”

      NOTE: If you are having trouble getting this to work, ensure that pfSense is fully updated (System–>Update) and that its WAN interface (ISP) is receiving a DHCP address from the NAT cloud.

      pfsense login
      Figure 3 – pfSense package manager
    2. Click Install and Confirm to begin the Snort installation process
    3. Once completed, you should now see Snort listed under the Installed Packages tab
      pfsense login
      Figure 4 – Snort package installed on pfSense server

Phase II – Enable and Configure Snort in pfSense

In this section we will setup Snort and configure the rules needed to make our IDS effective.

  1. Navigate to Services-->Snort
  2. Select the Global Settings tab and enable the download of various pre-configured rulesets (Figure 5)
    1. Click on Enable Snort VRT is selected
    2. Enter the Snort Oinkmaster Code associated with your snort.org account

      NOTE: If you do not have a snort account, click Sign Up for a free Registered User Rules Account. You may not have internet on your VM, so you can go here on your host machine. Once taken to the sign up page, provide an email and password for your free snort account. You can find your Oinkcode on the left-hand navigation bar which can be copy/pasted in the VM (Figure 6).

    3. Click on Enable Snort GPLv2
    4. Click on Enable ET Open
    5. Click on Enable OpenAppID
    6. Scroll down to the bottom of the page and click Save
  3. Select the Updates tab (Figure 7)
    1. Under the Update Your rule Set section, click Update Rules
    2. This should take a few minutes to complete…
      Sleeping 0
  4. Click on the Snort Interfaces tab
    1. Click Add and make the following changes to allow Snort to monitor the ISP interface (Figure 8)
      Option Value
      Interface ISP (em0)
      Description Snort enabled on WAN interface
      Send Alerts to System Log Selected (checked/enabled)
      1. Scroll to the bottom and click Save
      2. Select ISP Categories and make the following changes (Figure 9)
        1. Click on Use IPS Policy
        2. In the IPS Policy Selection drop-down menu, choose Balanced
        3. Under Select the rulesets Snort will load at startup, click Select All and then Save (Figure 10)
    2. Repeat the Step 4.1 to install Snort on pfSense’s Management interface
  5. Return the Snort Interfaces tab and select Start next to ISP (em0) and MANAGEMENT (em1)
    pfsense login
    Figure 11 – Starting Snort service on pfSense interfaces

Phase III – Testing Snort’s IDS

Once it starts, you will see a green check mark. MAKE SURE SNORT IS RUNNING! In this section of the textbook, we will focus on testing our system (although not necessarily attacking it). It is important to note that we are not testing software itself, but the rules on that software.

  1. To simulate a malicious intruder breaching your network, place a Kali Linux VM within the Management LAN

    NOTE: Ensure it receives an IP address from the pfSense DHCP server!

    Figure 12 – Adding a Kali box to the Management subnet
  2. In the pfSense GUI, navigate to Services–>Snort–>Alerts
    1. In the Interface to Inspect drop-down menu, select MANAGEMENT (em1)
    2. Select Auto-refresh view and click Save
    3.  You should see log entries below warning you of a potential security breach due to the “Kali Linux” hostname found in its DHCP requests. Due to Kali’s multitude of pre-installed penetration software tools, it should be concerning to see it suddenly appear on your network if you know it shouldn’t be there
      pfsense login
      Figure 13 – Snort IDS alerts

Phase IV – Intrusion Prevention System

By adjusting a few rules, we can turn our Intrusion Detection System into an Intrusion Prevention System.
  1. In the pfSense GUI, navigate to Services–>Snort–>Interfaces
    1. Next to Management, under Actions, select Edit

      pfsense login
    2. Scroll down to Block Settings and select Block Offenders

      pfsense login
    3. Save this configuration change and return to the Snort Interfaces list
  2. Restart Snort on the Management interface
  3. Now Snort will block machines from communication with the network once they are identified as threats
End of Lab


4 screenshots are needed to earn credit for this exercise:

  • Screenshot of GNS3 Working environment once everything works
  • Screenshot of the pfSense GUI page after sign in
  • Screenshot of alert notifications through snort
  • Screenshot of block notifications through snort


Assignment 1 – Add a new network and ICMP Detected rule

  • Add a new network to the environment
  • Add a snort rule creating an alert if ICMP from the new network is detected
    • Screenshot of GNS3 environment
    • Screenshot of ICMP Detected from Snort Alerts Log
Figures for Printed Version
pfsense login
Figure 5 – Snort rules to download
snort login
Figure 6 – Obtaining Oinkcode from snort.org
pfsense login
Figure 7 – Snort updates tab
pfsense login
Figure 8 – Snort configuration settings for ISP interfaces
pfsense login
Figure 9 – Snort policies to enforce
pfsense login
Figure 10 – Selecting all rulesets to enforce


Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Julian Romano and Jacob Christensen is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book