9 Network Monitoring – Snort Network IDS/IPS

This chapter will guide learners to install and configure Snort as an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) for their enterprise network. Many companies may spend upward of tens of thousands of dollars on IDS and IPS devices for their security needs. Luckily for us, Snort is free to use and experiment with.

Learning Objectives

• Install the Snort Package into the pfSense Server
• Configure Snort to be an effective IDS and IPS
• Trigger alerts to test Snort rules against threats

Prerequisites

• Chapter 12 – Create a Kali Linux VM
• Chapter 31 – pfSense Intranet

Deliverables

4 screenshots are needed to earn credit for this exercise:

• Screenshot of GNS3 Working environment once everything works
• Screenshot of the pfSense GUI page after sign in
• Screenshot of alert notifications through snort

Resources

• Special thanks to
  • Netgate Documentation – Configuring the Snort Package – https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html

Contributors and Testers

• TBD

Phase I – Setting up the Lab

The following steps are to create a baseline environment for completing the lab.  It makes assumptions about learner knowledge from completing previous labs.

This lab is an extension of Chapter 31:

1. Open GNS3
   1.  Open the lab made in Chapter 31
   2. Save it as a new project with a name of your choice
2. Set up GNS3 as shown in the network diagram above

   NOTE: This example uses version 2.7.2 of pfSense Community Edition.

3. Start and login to the PC on the Management LAN
   1. Open a browser and type in https://99.99.99.1/ to connect to the pfSense web configuration page
      

      NOTE: Remember to use the default creds to login:
      – Username: admin
      – Password: pfsense

      

4. In the pfSense GUI, navigate to System–>Package Manager to install Snort
   1. Click on Available Packages, search for “snort”

      NOTE: If you are having trouble getting this to work, ensure that pfSense is fully updated (System–>Update) and that its WAN interface (ISP) is receiving a DHCP address from the NAT cloud.

      

   2. Click Install and Confirm to begin the Snort installation process
   3. Once completed, you should now see Snort listed under the Installed Packages tab
      

      

1. Navigate to Services-->Snort
   
2. Select the Global Settings tab and enable the download of various pre-configured rulesets
   

   

   1. Click on Enable Snort VRT is selected
   2. Enter the Snort Oinkmaster Code associated with your snort.org account

      NOTE: If you do not have a snort account, click Sign Up for a free Registered User Rules Account. You may not have internet on your VM, so you can go here on your host machine. Once taken to the sign up page, provide an email and password for your free snort account. You can find your Oinkcode on the left-hand navigation bar which can be copy/pasted in the VM

      

   3. Click on Enable Snort GPLv2
   4. Click on Enable ET Open
   5. Click on Enable OpenAppID
   6. Scroll down to the bottom of the page and click Save
3. Select the Updates tab
   

   

   1. Under the Update Your Rule Set section, click Update Rules
   2. This should take a few minutes to complete…
      
4. Click on the Snort Interfaces tab
   1. Click Add and make the following changes to allow Snort to monitor the ISP interface
      

      

      Option	Value
      Interface	ISP (em0)
      Description	Snort enabled on WAN interface
      Send Alerts to System Log	Selected (checked/enabled)

      1. Scroll to the bottom and click Save
      2. Select ISP Categories and make the following changes
         

         

         1. Click on Use IPS Policy
         2. In the IPS Policy Selection drop-down menu, choose Balanced
         3. Under Select the rulesets Snort will load at startup, click Select All and then Save
            

            

   2. Repeat the above (Step 4.1) and install/configure Snort on pfSense’s Management interface
5. Return the Snort Interfaces tab and select Start next to ISP (em0) and MANAGEMENT (em1)
   

   

1. To simulate a malicious intruder breaching your network, place a Kali Linux VM within the Management LAN

   NOTE: Ensure it receives an IP address from the pfSense DHCP server!

   

2. In the pfSense GUI, navigate to Services–>Snort–>Alerts
   1. In the Interface to Inspect drop-down menu, select MANAGEMENT (em1)
   2. Select Auto-refresh view and click Save
   3.  You should see log entries below warning you of a potential security breach due to the “Kali Linux” hostname found in its DHCP requests. Due to Kali’s multitude of pre-installed penetration software tools, it should be concerning to see it suddenly appear on your network if you know it shouldn’t be there 

      NOTE: Your pfSense server might run low on RAM and will turn off the Snort monitoring. If this happens, unplug the cable to your Linux machine and restart the Snort monitoring for the management interface. Once it is running (green arrow) then, plug the Linux machine in. It should get the alerts before it turns off again.

       

      

1. In the pfSense GUI, navigate to Services–>Snort–>Interfaces
   1. Next to Management, under Actions, select Edit
      

      

   2. Scroll down to Block Settings and select Block Offenders
      

      

   3. Save this configuration change and return to the Snort Interfaces list
2. Restart Snort on the Management interface
3. Now Snort will block machines from communication with the network once they are identified as threats
4. Disconnect the cable from your Kali VM, wait for the green arrow to indicate the Management interface is running, then reconnect the network cable for the Kali VM

   NOTE: the Kali VM connection may not be blocked depending on your RAM, but the alert will appear.

End of Lab