This is a follow-up article to the part 1 pfSense article that I wrote a while back. In this article I will focus on packages that can be installed on pfSense as well as configuring snort which is an IPS/IDS that integrates well with the pfSense firewall.

In order to see which packages are available for installation you want to start by heading over to System–>Packages

On the package manager window head over to the “Available Packages” tab. In here you will have a list of system packages that you can download and install for pfSense.

The first package that I recommend getting is a system enhancement and it is called “widescreen”. If you have a widescreen monitor and are using a resolution that has an aspect ratio of 16:9 or 16:10 then this is a must. This package will give you a better experience while navigating pfSense.

The next package that you should grab is called “arpwatch”. This package monitors ARP request on your local area network and keeps a list of MAC address to IP address pairings. This is useful in case you want to see which hosts are connected to your LAN. It is also a great tool to see if there are any intruders in your network.

Configuring arpwatch takes a matter of seconds and once you have downloaded the package all you have to do is head over to services–>arpwatch. In here you want to select your LAN interfaces as the listening interface since we want to monitor for ARP packets that are being sent in the local area network.

Once you have configured arpwatch, it will take a couple of minutes for it to populate its entry table. You can view the entry table by clicking on the reports tab.

From the screenshot above you can see that we have an IP address to MAC address mapping and it also gives you the hostname of those computers in your local area network. You can tell that I am using addresses from the 192.168.x.x class C private network and that I removed the last 6 hex digits since those are unique to my devices.

Moving onto other packages, I also recommend getting “bandwidthd”. This is a very useful tool that allows you to view the traffic usage of the clients in your local network. You will be able to tell which clients have consumed the most bandwidth over a certain period of time, all formatted into one nice chart.

Once you have the package installed you can go ahead and view the settings by going over to services–>BandwidthD. In here you want to enable bandwidthd and select the interface that it will bind to. If you are monitoring the usage of clients from your local area network then you should select that interface. The other thing that you want to specify here is the subnet that you want to report on. This is normally the private IP range(s) that you are using in your LAN and in my case I am using the 192.168.x.x class C private network for my internal addressing.

After it has been configured and it is up and running then you should start seeing reports from bandwidthD by click on the “access bandwidthD” tab. A daily traffic report will look like the following:

In here you can see which IP addresses have consumed the most bandwidth and the type of traffic that it belongs to. This is useful for finding bandwidth hogs in your LAN so that you can take appropriate action.

Now that we have some of the basic packages installed and configured, we can go ahead and get started on snort. Snort is an Intrusion detection system/Intrusion prevention system that will monitor traffic on your WAN or internet interface and will proactively block anything that seems questionable based on predefined rules. Start by installing snort from the list of packages.

Once you have snort installed, head over to Services–>Snort–>Global Settings.

At the top you will have three choices for which snort rules to use. It is highly recommended to pay for the Snort VRT premium rules as these get updated at least twice a week. The basic accounts gets rules that are only older than 30 days. This means that you will essentially be running and IDS/IPS that is outdated and might be leaving yourself vulnerable. The snort community rules are a subset of the snort VRT rules and are therefore not needed if you are already subscribed to the premium rules. The last rule set is the Emerging Threats which contains current rules and are geared towards more advanced users. The recommended rules for everyone is the Snort VRT Premium rules. You can click on the links provided and have it guide you to get a premium account. Once you have a premium account created you should have received an Oinkmaster code which you can paste into the blacked out configuration box above.

Once you have configured your rules, you want to head over and modify the update interval and start time. I set mine to 6 hours rather than 12 hours so that in a given day I will check 4 times to see if there are any updates to rules that I signed up for. The other things that I modified here is checking the “settings will not be removed during deinstall” box. I also modified the settings for the directory size limit and gave it 1GB as I had enough space.

In the updates tab you can manually update the Snort rules that you are subscribed to and also view the logs to see when the last update occurred.

The next three tabs Alerts, blocked, and Whitelists will list IP addresses that are suspicious, have been blocked, or are whitelisted. Currently those tabs should not have any data as snort is not enabled yet. Head back over to the snort interfaces tab after you hit the “Update Rules” button once on the updates window.

In the “Snort Interfaces” tab you want to hit the “+” button to add an interface that snort will monitor.

You should be presented with a new window where you can configure the listening interface.

Under the “WAN Settings” tab you want to go ahead and select the enable check box. You must then select an interface where snort will bind to and you will most likely want to choose the WAN interface or your outer facing port that uplinks you to the internet. I also checked the option to have snort send alerts to the main System logs and automatically block offenders that generate snort alerts. This means that I am running in blocking mode rather than passive mode since hosts will automatically get block if they generate an alert. It is not necessary to automatically block offenders or host that generate an alert but I do it since I want to block anything that’s suspicious and have it whitelisted if it is something that I trust. This will require you to check the “Blocked” tab a couple of times a day to see what host are listed there so that you can whitelists anything that you trust. The IP addresses that you are blocking should be the src(source) IP address as the destination address will be your public IP address when you get a packet from the outside and you should not block your address.

Under the “Detection Performance Settings” you might want to modify the “search method” based on the hardware that pfSense is running on. Look at the descriptions to pick an option that matches your machine performance. The rest of the options here should be left at their default values. Hit save when done and return to the snort interface tab. In here you should see listed the interface that you just added. The next step is to go ahead and modify this interface by hitting the “e” button next to it.

Head over to the “WAN Preprocessors” tab and modify the following options here:

Make sure that everything in the general preprocessor settings section is checked except for the sensitive data which will cause a lot of alerts. I have snort set to automatically block alerts so this option will block a lot of different sites. I tend to view the list of block host every hour or so and create a whitelist for things that I trust. You will eventually get to a point where your everyday traffic will work fine and only things that are untrustworthy will get blocked. This usually takes like two weeks until you build a good whitelist.

The other thing that I modified here is the portscan detection settings to detect port scans that might be running against my public IP address.

The last thing that we must modify is under the “WAN Categories” tab and we will choose a detection policy as well as which rules to use.

In here you will check the “use IPS policy” box and select an IPS Policy. You might want to select connectivity as this has few or no false positives. If you are the type of person that has time to go through the block and alerts list daily then I recommend the balanced policy. The balanced policy will require tuning on your end as you will notice that a lot of things will get blocked if you are running in blocking mode like I am. Hit save at the bottom when done and head over to the snort interface window.

In here hit the red X icon to start snort.

Started:

You might want to look at the alerts tab in a couple of minutes to see what hosts are throwing alerts. Similarly, if you are running in blocking mode like I am then you will have hosts listed in your blocked tab as well. The whitelist tab will hold a list of host that have been white listed by you. Thank you for reading this article and I hope to see you here next time.

Share this: Email

Print

Twitter

More

Pocket

Pinterest



Reddit

Tumblr



LinkedIn

Facebook





Like this: Like Loading...