Documente Academic
Documente Profesional
Documente Cultură
More detail
This workshop is a quick overview of pfSense + SNORT.
A more in depth set of instructions is available on the
Oxford ITSS wiki and Ill upload them to a public web site
too.
Oxford ITSS wiki link
https://wiki.it.ox.ac.uk/itss/pfSense
Web site - http://users.ox.ac.uk/~clas0415/
Commercial options.
We found several commercial brands of firewall in use
within the university.
Recommended makes were:
Palo Alto
Fortinets Fortigate (with special pricing negotiated via
NSMS)
Dells Sonicwall series
Watchguards XTM series
Commercial firewalls
The good:
Ease of use (used Watchguard, saw Sonicwall & tried Fortinet)
Low maintenance.
Cost for 100Mb/s bandwidth capacity is affordable.
Works with little configuration, out of the box.
The downside:
Cost for 1Gb/s is much higher (around 10,000 over 5 years).
There can be vendor lock-in for 3-5 years on some contracts.
We found the two units from one manufacturer to be unreliable under long term use.
pfSense requirements.
Running as a statefull firewall, pfSense alone requires only
a modest system:
PCIe bus, to ensure enough bandwidth for the NICs.
Enough NICs, preferably well supported NICs such as
Intel Pro.
Preferably a 64bit processor.
With the SNORT IDS/IPS package, 4Gb of RAM is
recommended as well as a good multicore processor.
Physical
NICS
em
0
NIC
aggregation
Virtual
interfaces
LAN
traffic
WAN
traffic
em
1
em
2
igb
1
igb
0
LAGG0
LAGG1
WAN
OPT
1
LAN
pfSense
Web GUI
BRIDGE
igb
2
Network
linking
SNORT package
configuration
Install SNORT package
Setup an Interface to
use with SNORT
Subscribe to SNORT
rules sources.
Setup SNORT
categories.
Check SNORT rules for
each category and
monitor for SNORT
alerts.
Create white list and
suppression list.
When SNORT is ready,
test in non-blocking
Setting up aliases.
Add new
alias
Edit alias
Delete
alias
Firewall
rules
Move
selected
rules
before this
rule.
Interfaces
configuration
Selecting
the rulesets
you need.
Preprocessor configuration
Positive?
The resolving of host names can help determine host
names.
The rule descriptions will give you the rule which
triggered the attack, as well as the SID number.
Look out for rules which say possible in the wording.
If you think the host may be genuine and the rule
suspect, check the source IP and destination port and IP
carefully.
Use online IP reputation website to look up known bad
IPs as a second source of reference (such as IP Checker ,
IP Void or others).
Supress
alerts for
this rule
from this IP
Remove
this IP from
the block
list.
Supress
alerts for
this rule to
this IP
Supress all
alerts for
this rule
Disable this
rule and
delete it!
Suppression vs
disabling
If you have the option, supressing an IP will give you more
flexibility allowing you to add an exception to a rule for a
destination or source IP.
You can modify any exceptions you make in the suppression list
(which is a list of SNORT suppression rules).
Disabling a rule will reduce the load on SNORT slightly, but is a
last resort and will mean SNORT will not monitor future
occurrences.
It is better to disable rules in the interface rules tab, rather
than delete them in the alerts tab (just in case you change
your mind).
Question
s?
Diggory Gray (ITSS), Faculty of Classics, Oxford
University.
Reference
General pfSense
guides:
Traffic limiting
guides:
http://blog.allanglesit.com/2011/08/traffic-limiting-with-pfsense-2-0-rc3/
http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/
SNORT specific:
pfSense Tweaks
http://wiki.abadonna.info/doku.php?id=pfsense:tricks