34 Network Monitoring – Snort Network IDS/IPS
Julian Romano and Jacob Christensen
This chapter will guide learners to install and configure Snort as an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) for their enterprise network. Many companies may spend upward of tens of thousands of dollars on IDS and IPS devices for their security needs. Luckily for us, Snort is free to use and experiment with.
Learning Objectives
- Install the Snort Package into the pfSense Server
- Configure Snort to be an effective IDS and IPS
- Trigger alerts to test Snort rules against threats
Prerequisites
Deliverables
4 screenshots are needed to earn credit for this exercise:
- Screenshot of GNS3 Working environment once everything works
- Screenshot of the pfSense GUI page after sign in
- Screenshot of alert notifications through snort
Resources
- Special thanks to
Contributors and Testers
- Jacob M. Christensen, Cybersecurity Student, ERAU-Prescott
- Zeek Correa, Cybersecurity Student, ERAU-Prescott
- Jungsoo Noh, Cybersecurity Student, ERAU-Prescott
Phase I – Setting up the Lab
The following steps are to create a baseline environment for completing the lab. It makes assumptions about learner knowledge from completing previous labs.
This lab is an extension of Chapter 31:
- Open GNS3
- Open the lab made in Chapter 31
- Save it as a new project: LAB_19
- Set up GNS3 as shown in the network diagram above
NOTE: This example uses version 2.7.2 of pfSense Community Edition.
- Start and login to the PC on the Management LAN
- Open a browser and type in https://99.99.99.1/ to connect to the pfSense web configuration page
NOTE: Remember to use the default creds to login:
– Username: admin
– Password: pfsense
- Open a browser and type in https://99.99.99.1/ to connect to the pfSense web configuration page
- In the pfSense GUI, navigate to System–>Package Manager to install Snort
- Click on Available Packages, search for “snort”
NOTE: If you are having trouble getting this to work, ensure that pfSense is fully updated (System–>Update) and that its WAN interface (ISP) is receiving a DHCP address from the NAT cloud.
- Click Install and Confirm to begin the Snort installation process
- Once completed, you should now see Snort listed under the Installed Packages tab
- Click on Available Packages, search for “snort”
Phase II – Enable and Configure Snort in pfSense
In this section we will setup Snort and configure the rules needed to make our IDS effective.
- Navigate to Services-->Snort
- Select the Global Settings tab and enable the download of various pre-configured rulesets (Figure 5)
- Click on Enable Snort VRT is selected
- Enter the Snort Oinkmaster Code associated with your snort.org account
NOTE: If you do not have a snort account, click Sign Up for a free Registered User Rules Account. You may not have internet on your VM, so you can go here on your host machine. Once taken to the sign up page, provide an email and password for your free snort account. You can find your Oinkcode on the left-hand navigation bar which can be copy/pasted in the VM (Figure 6).
- Click on Enable Snort GPLv2
- Click on Enable ET Open
- Click on Enable OpenAppID
- Scroll down to the bottom of the page and click Save
- Select the Updates tab (Figure 7)
- Under the Update Your rule Set section, click Update Rules
- This should take a few minutes to complete…
- Click on the Snort Interfaces tab
- Click Add and make the following changes to allow Snort to monitor the ISP interface (Figure 8)
Option Value Interface ISP (em0) Description Snort enabled on WAN interface Send Alerts to System Log Selected (checked/enabled) - Repeat the Step 4.1 to install Snort on pfSense’s Management interface
- Click Add and make the following changes to allow Snort to monitor the ISP interface (Figure 8)
- Return the Snort Interfaces tab and select Start next to ISP (em0) and MANAGEMENT (em1)
Phase III – Testing Snort’s IDS
Once it starts, you will see a green check mark. MAKE SURE SNORT IS RUNNING! In this section of the textbook, we will focus on testing our system (although not necessarily attacking it). It is important to note that we are not testing software itself, but the rules on that software.
- To simulate a malicious intruder breaching your network, place a Kali Linux VM within the Management LAN
NOTE: Ensure it receives an IP address from the pfSense DHCP server!
- In the pfSense GUI, navigate to Services–>Snort–>Alerts
- In the Interface to Inspect drop-down menu, select MANAGEMENT (em1)
- Select Auto-refresh view and click Save
- You should see log entries below warning you of a potential security breach due to the “Kali Linux” hostname found in its DHCP requests. Due to Kali’s multitude of pre-installed penetration software tools, it should be concerning to see it suddenly appear on your network if you know it shouldn’t be there
Phase IV – Intrusion Prevention System
- In the pfSense GUI, navigate to Services–>Snort–>Interfaces
- Next to Management, under Actions, select Edit
- Scroll down to Block Settings and select Block Offenders
- Save this configuration change and return to the Snort Interfaces list
- Next to Management, under Actions, select Edit
- Restart Snort on the Management interface
- Now Snort will block machines from communication with the network once they are identified as threats
End of Lab
Deliverables
4 screenshots are needed to earn credit for this exercise:
- Screenshot of GNS3 Working environment once everything works
- Screenshot of the pfSense GUI page after sign in
- Screenshot of alert notifications through snort
- Screenshot of block notifications through snort
Homeworks
Assignment 1 – Add a new network and ICMP Detected rule
- Add a new network to the environment
- Add a snort rule creating an alert if ICMP from the new network is detected
- RECOMMENDED GRADING CRITERIA:
- Screenshot of GNS3 environment
- Screenshot of ICMP Detected from Snort Alerts Log