Snort on pfSense – IPS Policy Accuracy

Snort on pfSense – IPS Policy Accuracy

Minimize the number of false positives and unintended enforcement of policies

The current implementation of Snort on pfSense requires a manual adjustment of the preprocessor and decoder rules when utilizing Snort VRT IPS Policies (Connectivity, Balanced, Security, and Max-Detect). This step is recommended to minimize the number of false positives and the unintended enforcement of policy, irrespective of the chosen IPS Policy level.

Snort on pfSense false positives
A special thanks to the Snort Team and Research Engineers at CISCO Talos, as well as Max Leighton and Kimberly Keen from Netgate, for their invaluable help in compiling the information required for this article.

Manual adjustment of the preprocessor and decoder rules

Category Selection

To change the preprocessor and decoder rules for a Snort interface, navigate to Services -> Snort -> Snort Interfaces  then edit the interface settings clicking on the pencil symbol ✏️

Snort DMZ Interface

Navigate to the <Snort_Interface> Rules Tab, and then to Category Selection in the Available Rule Categories section. Here, you can choose between preprocessor.rules or decoder.rules, based on the category you need to adjust.

IPS Policy - Category Selection

Policy Adjustments

Connectivity

This IPS Policy require all preprocessor or decoder rule to be disabled.

➡️ Select  preprocessor.rules in the Category Selection list, then click the “Disable All” red button.

➡️ Repeat the same for decoder.rules.

Balanced

This IPS Policy require all decoder rule to be disabled and only four preprocessor rules enabled.

➡️ Select decoder.rules then click the “Disable All” red button.

➡️ Then, for the preprocessor.rules make sure only the policies in the table below are enabled.

Group IDSignature IDClasstypeMessage
1051trojan-activityBO_TRAFFIC_DETECT
1052trojan-activityBO_CLIENT_TRAFFIC_DETECT
1053trojan-activityBO_SERVER_TRAFFIC_DETECT
1054trojan-activityBO_SNORT_BUFFER_ATTACK

Security

This IPS Policy require all decoder rule to be disabled and 22 preprocessor rules enabled.

➡️ Select decoder.rules then click the “Disable All” red button.

➡️ Then, for the preprocessor.rules make sure only the policies in the table below are enabled.

Group IDSignature IDClasstypeMessage
1051trojan-activityBO_TRAFFIC_DETECT
1052trojan-activityBO_CLIENT_TRAFFIC_DETECT
1053trojan-activityBO_SERVER_TRAFFIC_DETECT
1054trojan-activityBO_SNORT_BUFFER_ATTACK
1063bad-unknownRPC_LARGE_FRAGSIZE
1064bad-unknownRPC_INCOMPLETE_SEGMENT
1065bad-unknownRPC_ZERO_LENGTH_FRAGMENT
1241attempted-adminSMTP_COMMAND_OVERFLOW
1242attempted-adminSMTP_DATA_HDR_OVERFLOW
1243attempted-userSMTP_RESPONSE_OVERFLOW
1244attempted-adminSMTP_SPECIFIC_CMD_OVERFLOW
1247attempted-adminSMTP_HEADER_NAME_OVERFLOW
1248attempted-adminSMTP_XLINK2STATE_OVERFLOW
12415attempted-adminSMTP_AUTH_COMMAND_OVERFLOW
1253attempted-adminFTPP_FTP_PARAMETER_LENGTH_OVERFLOW
1255attempted-adminFTPP_FTP_PARAMETER_STR_FORMAT
1256attempted-userFTPP_FTP_RESPONSE_LENGTH_OVERFLOW
1261attempted-adminFTPP_TELNET_AYT_OVERFLOW
1281attempted-adminSSH_EVENT_RESPOVERFLOW
1282attempted-adminSSH_EVENT_CRC32
1283attempted-adminSSH_EVENT_SECURECRT
1313attempted-adminDNS_EVENT_RDATA_OVERFLOW

Max-Detect

If you choose this Policy, all rules from both the decoder and preprocessor rule-set shall be enabled.

➡️ Select  preprocessor.rules in the Category Selection list, then click the “Enable All” green button.

➡️ Repeat the same for decoder.rules.

Need help to setup Snort on your pfSense? Contact Us