Snort is an open source network Intrusion detection (IDS) and prevention (IPS) application. Snort can record packets and analyze in real time all activity on the internet network. In carrying out its duties, snort is able to combine signature matching capabilities, protocol inspection tools, and anomaly detection mechanisms.

Snort was created by Martin Resch in 1998 and quickly gained popularity as a free intrusion detection system that allows you to write rules to detect attacks independently and without much effort. In fact, the Snort signature description language has become the de facto standard for many intrusion detection systems that adopt it in their machines.

1. Snort Structure and Operation

According to the system monitoring method, the Snort intrusion detection system can be associated with network nodes and systems, depending on the configuration parameters. It usually protects a specific segment of a local network from external attacks from the Internet. The Snort system performs logging, analysis, content search, and is also widely used to actively block or passively detect various attacks and probes. The advantages that Snort has is that it can detect:
  1. Bad internet traffic.
  2. Exploiting Shellcode detection.
  3. Scanning the system (port, OS, user, etc.).
  4. Reads attacks on services such as Telnet, FTP, DNS, etc.
  5. Able to analyze DoS/DDoS attacks.
  6. Detect attacks against web servers (cgi, php, frontpage, iss, etc.) and attacks on SQL, Oracle databases, etc.
  7. Can act as a web filter (often used to block pornographic content).
  8. Prevent viruses on the network.

2. Configure Snort in PFSense

To run the Snort application on PFSense, it must be installed first, namely by clicking the System menu >>> Package Manager >>> Available Packages. After that, look for the snort application and click install.

After the installation process is complete, the next step is to configure snort, but before that we have to create an account on  

After successfully creating a snort account, continue by logging in then look at the Oinkcode. We will use this code to configure snort in PFSense. We continue with the snort configuration process, click Services >>> Snort, select the Global Settings menu. To fill in the Snort Oinkmaster Code, we take it from the snort account that we created above.

In the Enable OpenAppID option, we check the checklist and fill in the Update Interval option according to the server computer resource requirements. If we feel that is enough, we can immediately click the Save button.

We continue with the snort configuration process, click Services >>> Snort, select the Snort Interface menu, and click the Add button.

When the Block Offenders option is activated, we select Legacy Mode for IPS Mode. To fill in the Detection Performance Settings, check the Search Optimize checklist.

To fill in other menus, leave it alone, it is set by default.

To configure the Snort Interfaces menu, if it is sufficient and nothing has been missed, then we click the Save button. For other menu configurations, we just make them default.

OK, Now you might have some ideas and knowledge to play around with Snort Intrusion Detection Service. Hope this helps you keep your network away from unwanted hacker attacks.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post