Welcome again to another tutorial on how to use PFsense. In this second tutorial , I will be teaching you on how to install one essential component for securing networks which is using an IDS/IPS. Luckily PFsense has this collection of different packages that would aid in securing the network, and it supports the use of Snort -the world’s widely used IDS.
First step is to install the Snort package , access your pfsense webconfigurator and navigate to System -> Packages, Click on the Available packages tab, and look for snort and click Install package.
Click on confirm to install Snort. (This will take a while depending on your Internet speed)
If this shows up, it means that Installation is done, Now head to snort service setting by navigating to Services -> Snort
The next thing that we need to do is download rules which will be used by Snort. ( You need a Snort account in order for you to download rules, head to www.snort.org and register ).
Navigate to Global settings and check the INSTALL SNORT VRT RULES ( you need your Oinkcode here, Oinkcode can be found in your Snort Account -> Oinkcode. Check on INSTALL SNORT COMMUNITY RULES and INSTALL EMERGING THREATS RULES and then click on save.
Now we need to update the rules because upon saving, the rules will be not updated. Navigate to the Updates bar and you will see this.
Simple Click on the update button and wait for it to finish.
This will show up once the update is finished.
Our next task is to indicate what interface will snort rules be applied. Click on the Snort Interfaces Tab and click on the Add Interface.
After clicking on add interface, this will be the next window.
For this example we will be using WAN but basically you can apply snort rules to any interface that you have created, check on Send Alerts To system logs, and block offenders and then click on save.
Notice that a warning would pop up after saving saying that the marked interface has no Snort rules defined, we will edit the interface by simply clinking on the edit button
And then go to the WAN Categories, click on select all and then save it.
That step would add the rules set that Snort would use for the interface.
To enable Barnyard2, Just navigate to the WAN barnyard2 and click on the check box
You can select either of the 3 your preferred output logging features shown.
Go to the WAN Categories again and check the USE IPS POLICY
In this example use the Connectivity IPS policy selection.
Reboot the system.
After the reboot is finished, go to status-> services and you will see that snort is up and running
You have now successfully installed snort.