Yandex Cloud and VK Cloud documentation
Documentation on configuring solutions in Yandex Cloud
Yandex Cloud pfSense documentation
Snort and pfSense integration

Snort and pfSense integration

Snort

Snort is one of the most well-known and widely used tools for detecting network attacks and intrusions (Intrusion Detection System (IDS). It is an open source software designed to monitor network traffic and detect anomalous or malicious behavior on the network. Snort uses a set of rules to analyze network traffic and detect suspicious or malicious activities such as port scans, vulnerability attacks, and other types of network attacks. It can be configured to detect and block such attacks, making it a useful tool for protecting computer networks from intrusions and cyberattacks.

Install Snort in pfSense

To install snort, open the pfSense web interface and go to System –> Package Manager –> Available Packages.

In the search bar, type snort.

And click Install, wait for the installation process to finish

Now go to Services –> Snort.

Configuring Snort

First, customize the global settings by selecting Global Settings.

Snort Subscriber Rules - Select if you have a subscription and Snort Oinkmaster Code.

Snort GPLv2 Community Rules - Check the box for Snort GPLv2 Community Rules.

Emerging Threats (ET) Rules - check the box for Enable ET Open.

Sourcefire OpenAppID Detectors- check the box forEnable OpenAppID`.

FEODO Tracker Botnet C2 IP Rules - check the box for Enable FEODO Tracker Botnet C2 IP Rules.

Rules Update Settings - set Update Interval equal to 1 DAY and time as you wish.

Press Save

Then go to Snort Interfaces and create an interface for the sensor, the settings are at your discretion.

If for some reason it is impossible to update from official snort servers, you can use alternative mirrors.

Configure mirror for rules

To make updates downloaded not from the official snort site you need to make changes to the /usr/local/pkg/snort/snort_defs.inc file.

To do this, open it for editing and change snort.org to your mirror, e.g.

vi /usr/local/pkg/snort/snort_defs.inc

Find VRT_DNLD_URL,GPLV2_DNLD_URL,SNORT_OPENAPPID_DNLD_URL and change to your values

⚠️
Be careful snort_defs.inc file may be overwritten to default values when updating the snort package

Below is an example of a complete file with changes

snort_defs.inc
<?php
/*
 * snort_defs.inc
 *
 * part of pfSense (https://www.pfsense.org)
 * Copyright (c) 2006-2023 Rubicon Communications, LLC (Netgate)
 * Copyright (c) 2009-2010 Robert Zelaya
 * Copyright (c) 2013-2022 Bill Meeks
 * All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

global $g;

/* Define some useful constants for Snort */
if (!defined("SNORT_BASEDIR")) {
	define("SNORT_BASEDIR", "/usr/local/");
}
if (!defined("SNORT_BINDIR"))
	define("SNORT_BINDIR", SNORT_BASEDIR . "bin/");
if (!defined("SNORTDIR"))
	define("SNORTDIR", SNORT_BASEDIR . "etc/snort");
if (!defined("SNORTLOGDIR"))
	define("SNORTLOGDIR", "{$g['varlog_path']}/snort");
if (!defined("SNORT_BIN_VERSION")) {
	// Grab the Snort binary version programmatically by
	// running the binary with the command-line argument
	// to display the version information.
	$snortbindir = SNORT_BINDIR;
	$snortver = exec_command("{$snortbindir}/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-31");

	// Extract just the numbers and decimal point
	// delimiters at the front of the version string.
	$matches = array();
	if (preg_match('/^[^\s]+/', $snortver, $matches)) {
		define("SNORT_BIN_VERSION", $matches[0]);
	}
	else {
		define("SNORT_BIN_VERSION", "2.9.20");
	}
}

if (!defined("SNORT_SID_MODS_PATH"))
	define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
if (!defined("SNORT_IPREP_PATH"))
	define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
if (!defined('SNORT_APPID_ODP_PATH'))
	define('SNORT_APPID_ODP_PATH', SNORTDIR . "/appid/");
if (!defined('SNORT_APPID_RULES_PATH'))
        define('SNORT_APPID_RULES_PATH', SNORTDIR . "/rules/");

// Rules filenames, download URLs and prefixes.
// Be sure to include the trailing backslash on URLs.
if (!defined("SNORT_ENFORCING_RULES_FILENAME"))
	define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
if (!defined("FLOWBITS_FILENAME"))
	define("FLOWBITS_FILENAME", "flowbit-required.rules");
if (!defined("SNORT_RULES_UPD_LOGFILE"))
	define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
if (!defined("VRT_DNLD_URL"))
	define("VRT_DNLD_URL", "https://snort.comcloud.xyz/rules/");
if (!defined("ET_VERSION"))
	define("ET_VERSION", "2.9.0");
if (!defined("ET_BASE_DNLD_URL"))
	define("ET_BASE_DNLD_URL", "https://rules.emergingthreats.net/"); 
if (!defined("ETPRO_BASE_DNLD_URL"))
	define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); 
if (!defined("SNORT_ET_DNLD_FILENAME"))
	define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
if (!defined("SNORT_ETPRO_DNLD_FILENAME"))
	define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
if (!defined("SNORT_GPLV2_DNLD_FILENAME"))
	define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
if (!defined("GPLV2_DNLD_URL"))
	define("GPLV2_DNLD_URL", "https://snort.comcloud.xyz/downloads/community/");
if (!defined("SNORT_OPENAPPID_DNLD_URL"))
	define("SNORT_OPENAPPID_DNLD_URL", "https://snort.comcloud.xyz/downloads/openappid/");
if (!defined("SNORT_OPENAPPID_DNLD_FILENAME"))
	define("SNORT_OPENAPPID_DNLD_FILENAME", "snort-openappid.tar.gz");
if (!defined("SNORT_OPENAPPID_RULES_URL"))
	define("SNORT_OPENAPPID_RULES_URL", "https://files.netgate.com/openappid/");
if (!defined("SNORT_OPENAPPID_RULES_FILENAME"))
	define("SNORT_OPENAPPID_RULES_FILENAME", "appid_rules.tar.gz");
if (!defined("SNORT_RULES_UPD_LOGFILE"))
	define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
if (!defined("VRT_FILE_PREFIX"))
	define("VRT_FILE_PREFIX", "snort_");
if (!defined("GPL_FILE_PREFIX"))
	define("GPL_FILE_PREFIX", "GPLv2_");
if (!defined("ET_OPEN_FILE_PREFIX"))
	define("ET_OPEN_FILE_PREFIX", "emerging-");
if (!defined("ET_PRO_FILE_PREFIX"))
	define("ET_PRO_FILE_PREFIX", "etpro-");
if (!defined("OPENAPPID_FILE_PREFIX"))
	define("OPENAPPID_FILE_PREFIX", "openappid-");
if (!defined("FEODO_TRACKER_DNLD_FILENAME"))
	define("FEODO_TRACKER_DNLD_FILENAME", "feodotracker.tar.gz");
if (!defined("FEODO_TRACKER_DNLD_URL"))
	define("FEODO_TRACKER_DNLD_URL", "https://feodotracker.abuse.ch/downloads/");

?>
Configuring OpenVPN in pfSensepfSense integration with Suricata