 So, the folks over at NetGate have been busy, along with the folks over at Snort, making some updates. Now, I had done an in-depth review of Syracada because I really enjoy the product and I really liked it and at the time it seemed to have a few advantages. But since this latest round of updates, the Snort is looking much better. And so I've been doing some testing with it for a little while and it's why it took me a minute before I could get the video. But one of the things that's really cool is the application detection that it has in here as well. So we're going to cover this open app ID, what it is, and essentially, I'll leave links to this, but it's the ability to actually look at the application layer at layer seven and identify certain applications that are running inside the system. Now this is really cool. I'm going to bring a window over here real quick. And this is just a quick glance of Tom's dot house and seeing it running there and what you're looking at here is all the different things. For example, it sees Netflix. What else do we have here? Oh, Zynga. I can tell you already that's my wife's phone right there because it's fun having this at home so I can actually see the different things that picks up the fact that it's running Zynga. She plays, I don't know, some clicker game on her phone, obeyed by them. We got Netflix. We got Chrome updates. So it's really interesting having this application ID in here. So this is the end result of what it looks like. But of course, you guys want to know, how did we get here? How do we load it? And of course, that's what I'm going to cover for you is get you the details, show you how to set it up, and some basic settings and concepts with Snort. I'm really impressed with it. I may be switching Saracada myself with this latest version. I've been testing it at home for a while where it's a less critical environment and it's nice because it requires less effort than Saracada did to get it tuned. They've built in some really nice features that kind of gets you up and running without having to do as much tuning as you do because tuning is the hardest part of any intrusion detection system because the concept is you have a lot of rules and then people want to go crazy and turn them all on and then turn blocking on and then you have an unusable network until you spend a whole lot of time tuning in. Something I covered in Saracada was, you know, enable the rules kind of on an as needed basis and figure out which ones are important and then turn on blocking and then you have to kind of babysit the network and tune it. And it's hard for me to switch because I spent so much time tuning Saracada, but the fact that Snort comes kind of out of the box fairly tuned and I've been really impressed with it, that's pretty cool. So let's dive into this. Now, there is an updated guide, including the application ID for the doc.pfsense. I'll leave a link to that. They've got lots of the details here. I'm not going to read it to you because what fun would that be? But they've they've done a good job in keeping up with the documentation. So they did add some screenshots for application ID and some of the other things we're going to be covering. All right. This is my clean load lab of pfsense. So first thing we got to do to it, well, I can't say 100% clean because I've configured it for external access. It's WAN IP, which is in my network is 3.98. And then on the LAN side, it is 40.1. Not super relevant, but yes, in case people are asking, it's not a true WAN external IP. That's because this is in the lab. So all of this is simulated. Just got to get that out of the way because I don't think I posted a video where someone doesn't see that and it becomes one of the first comments. That's not actually an external IP. Yeah, I know. So this is configured, set up and allowed for external WAN access. So I can pass data through it and do this type of testing. And we're going to go to package manager, available packages. We type in snort. We hit install. We hit confirm. It runs too. So this part of it hasn't changed. All right, snorts installed. That part, like I said, pretty straightforward here. Go to services, snort, and we got to get it set up. Now by default, out of the box, nothing's configured. You do have to enable things in snort. Global settings, the first thing you're going to do is, well, we're going to get some rules. And this is to enable the snort VRT-free, registered, or paid subscriber rules. Sign up for a free account. Now I'm not going to show you how to sign up for account, but this is where you get it. I'm already logged in. I would click on that and get my snort ID for you, but you can't have mine. You've got to go get your own. It's free. You get an email. If you want to sign up for the paid ones, they have the paid subscription. So if you want to buy some personal rules or business rules or something, you know, become a distributor, they have all that information on here. Now the reality is the rules are the sauce that makes all of this work. So they're really important. And supporting some of these projects are important as well. That's why they want MoneyForm, because there's a lot of time, effort, and thought that goes into creating rules. So you have the product itself here, but the intelligence of the product comes from having these rules to identify and apply that information to the traffic passing through here in order to make it function at all. And now you do have some GPL community rules. We're going to enable those. I'm going to put my own code in here in a second, but that's going to get blurred out. I'm going to enable the ET open, or you can also sign up for an ET pro account. Then we're going to check the enable download of source storage open app ID detectors, because we want to use that, and right here as well. So these are the ones you need to turn on and download those rules, update interval. Unless there's some critical reason for it, set it to 24 hours, unless you go, man, I really need all the rules. I'm going to hide deprecated rule categories. And if you are pulling from sources that don't have SSL verification, you can check this to, if it's pulling from a source with a self-sign certificate. Now blocking, you may or may not want to do this. If you do this, you're going to have to actively kind of do some babysitting with your firewall, because if you turn on blocking and it blocks everything it finds in here and you're not done tuning things a little bit, you may have a lot of angry people on the other side of the network or just block yourself out of doing things. This is the interval for removal. You probably don't want it at never. And what it is, is something gets blocked, how long before it falls off the block list. So I'm just going to set it here to 30 minutes. And then we're going to go ahead and hit save. All right, I hit save. I also cut out the part where I put in my Snort Orchmaster code that I got, just the free registration one. So we're going to go ahead and update the rules because as you see, none of them are downloaded, none of them are updated. So the first thing we got to do is, well, we got to get the rules. All right, depending on speed of your connection, speed of your system, results may vary, but this is all the rules are up to date and are up to date as of right now. And now they're automatically on the auto get new rules update. So let's go over here to Snort interface. Because now we have to add an interface to it in order to get things set up. So we're going to go ahead and add enable interface when that's fine, enable splitting of any port group. We're going to leave this at default, search optimize. We'll go ahead and enable search optimization on there. Scroll down. All this looks pretty good. Go ahead and hit save. Still some more editing, probably should have jumped over to categories. Resolve Flow Boots, yep. Now this is where you can get yourself in trouble if you want to do this individually. And let me give you an idea of how many rule sets. These aren't the rules, these are the rule sets. And then on this page here under WAN rules, these are all the individual rules. So you can play with it and fine tune and turn on and off things. And that's all fun. And what you do when you set these rules on is it goes through, it has the rules and you individually as you decide if you want them in the logs, okay, enable this, enable that. And it works just like it does in Sericata. You can just say, go ahead and forget that rule. Or enable it and that gets to be really, really tedious. Let's come back to why I like Snort and what they're doing now. We're going to go ahead and use the IPS policy. We're going to go ahead and set it to security. And I can ignore all this down here. Because what that's doing is, if checked, Snort will use rules from one of the three predefined IPS policies. So we're going to go ahead and set it to a higher level one and they describe it all down here. Connectivity blocks, most threats with you are no false positives, a good starter policy. It is speedy, good base coverage level and covers most threats of the day. It includes rules in connectivity. Security is a stringent policy. It contains everything in the first two policies plus rules such as flash object in a cell file. And then we have balance, it's kind of the middle. So you can go full security or balance. We're going to go ahead and go full security on this. Go ahead and hit save. All right, so that part's configured up. Now let's go over to the WAN preprocessor. When you're in here, whether or not you want to enable performance stats, default does not check. But this can, if you want to do some logging or performance when you're digging through the rules, auto rule disable. I have found this helpful at times. If parts of rules aren't working properly and you don't have this checked, it makes Snort give an error on whichever rule. If you do this auto rule disable, it goes, OK, that part of the rules connects to another rule that's not functioning. So we're going to go ahead and just disable that part of the rule. That seems to fix a lot of little bug issues I've run into with that. So I've seen some even forum posts on this exact topic. That's checked. And that solves it. Now here's the thing. It wasn't doing it, then it started doing it when I got one of the rule sets. So results may vary, but auto disabling seems to fix that. Now we're going to scroll down through all this and leave all this at default, unless you have some reason that you want to play with all these little things. But we're jumping down here to the enable for the application IDs. So we're going to enable that. Enable open app ID statistics and logging, so all that's on there. Now you can also do this if you want. So you can use port scan detection to get a very nice port scan of sweeps. We'll go ahead and enable it. Do you really need it? It's up to you. If you just want to know if someone's scanning you, it creates a lot of noise. This is the fun things. IDS gives you a lot of insights. IDS can create lots of noise, because at any given moment, there's a whole lot of scans going on. So if you want to see who's scanning you, whatever, but it's not the most valuable information, because there's also some of the other tools out there that are just going around the web scanning in general to see if things are up and learning what things are. So it's kind of a noise thing if you want to check it and learn more. Definitely if you have blocking on, don't turn that on, because everything that scans you blocks, lots of things just do lots of probing. So we're going to hit save. So we'll save these settings here. All right. Now, the rest of them you don't really have to worry about in detail unless you're having some problems. In a separate tutorial that I'm going to get to is I've been playing around with setting it up. In case you're wondering what this is, you can export and it's really cool. There's some neat things where you can enable all the logging to output it to something more in depth that gives you, it takes all these logs and actually creates like cool interfaces with them. That's a project I'm working on. I'm just not that good at that yet. And I need to work on that tutorial. So for those wondering or say, why aren't you done it yet? It's in the works. It's a big project and it's something I'm working on because it's complex, but I want to make it in-depth tutorial on how to set that up because trying out of the box is a little bit difficult. But yes, it does support even if you're running this inside of PF Sense external logging servers that will allow you to create like dashboards essentially and in IDS information dashboards. I'm looking for one that if someone knows a complete one and can email me when like, oh yeah, this is fairly turnkey to plug in. Great, I've been looking at some of them and they don't seem quite so turnkey. Now back to the very first interface here. Send alert systems to logs and block offenders. This will start blocking the offenders. No need to do that right now. What you can do is turn it on and see what shows up on there and determine whether or not you want to turn on blocking later because you can start suppressing and ignoring things and we're gonna cover how to do that so you can say, okay, these are some false positives. Get that cleaned up before you turn on blocking or you'll end up with a semi-broken network. Or maybe you like doing it that way and you want to learn the hard way. That's the way you can do it too. It's your network, it's open source. Have it share away like Burger King says. So now we're gonna go ahead and see that sort is stopped on WAN and we'll start it on WAN. And watch it spin and if everything went well, it'll start right up. Success. It does take a second to start. I fast forward some of those things because no one wants to sit there. And if you go to here, system general, that's where it's loading all the logs to tell you everything that it's doing. And away it goes. And in case you're wondering because someone may ask us, yes, this is running virtually and actually specifically in Zen server which I've talked about before, virtualizing PF Sense in my home virtualization lab tour. Snort doesn't seem to care that it's running and that it has not caused any problems for me at all. So I know it runs fine in real world hardware and it seems to run fine on this. But we will note this as well. I only have two gigs of RAM in this virtual machine and running that right there, Snort, with the rules loaded, you're looking at about half the RAM. It jumps up quite a bit. A big piece of this is running Snort. So it is a little bit more memory intensive. If you have less than a gig, I think you're gonna have some problems. You'll run right on the edge because there's really nothing going on for network traffic. But even on my computer at home with all the computers behind it, I've seen it get up there at about a gig and a half of usage running Snort. That's something to consider. Throw at least four gigs of RAM in there and scale upwards if you're running a larger corporate network. Four gigs should be fine for a smaller network but as you get a really large RAM with a lot of people, Snort is both, in any intrusion detection system, is both very memory intensive and very processor intensive because you're trying to process all the traffic. So it scales up and it could be a limiting factor if you have a really slow machine. This is an advantage that as I understand from the back end of the way Sericata was designed because it has more threads that can run simultaneously that it's supposed to be a little bit more efficient. And it's something I come into with Sericata, but I believe they've added a lot of efficiencies to Snort and to my knowledge, though they still haven't become multi-threaded, but I could be wrong about that. I didn't really see anywhere. So what knows, leave it in the comments and let me know and I'll make that little note inside the description. All right, so it's running and now what? Well, let's go over here Snort and let's look at alerts. There ain't any, nothing exciting here. So let's go create some alerts. And I know I can do it from the command line but I'm lazy and this is clickable. I mean, I love command line but sometimes it's nice just to click on stuff. We're gonna go ahead and do, there's the IP address 3.98 and we'll go ahead and do an intense scan here and just beat this thing up. So it's sending out lots of intense scan. Let's go ahead and auto refresh. And this is still going, give it a second here. She makes sure all this is working the way it's supposed to. Yep, it's on security. These are the rules that are enabled right now. So great, those are the ones. No alerts, no nothing. And that's because we're just doing a pretty basic scan not actually doing anything. So you can see it didn't do anything. So let's try this again. So we're gonna go ahead and stop it. Now you don't have to stop it but I found that if I stop it, it goes faster because it'll stop itself when you do these rule changes for this because I'm unchecking this and checking this. So we're gonna go ahead and uncheck this now. Hit save. You'll see why here in a second. Save. And by not having it running, it allowed me to select all. If it's running, you have to do it twice. So, and each time it wants to reload, the rules and pauses while it reloads the rules each time that's why I stopped it. So it's not that it breaks anything, it just, it's slower. So now let's load all the rules. So it just goes crazy with alerts. So the first time we're doing the automated rules but we, as you noticed, didn't check the notice every time a port scan. So here's all the rules checked. Every one of them here. So go back to the interfaces. We'll go ahead and start at the interface. And you can see the CPU just loading it. It's loading in this tab and you can see it's loading up here and it's still loading the tab and now we're all the way up to 72% of memory. You see the memory usage goes up quite a bit when you load that many rules in. So there's another thing that happened. So it's running and you can see already we're getting all kinds of alerts in here just because it sees activity going places. So almost every activity starts becoming an alert. Now the way you suppress an alert to start creating your filters is this little box here says force to stable this ruler and move it from the current rule set. So we'll go ahead and do this because I know it's not really a threat. It's just checking a website. And now it's got to run and reload these rules again. And there's the pause and it's going to disable this particular rule and hopefully it won't get any more alerts. And here comes some more things. This is just things running on the network because I'm talking to it. Now, if we really want to fill it up, we go back over here, pull up sun map again and we hit scan. So this is scanning away. Make sure we go here too because we're going to see the processor usage and as this goes up, as it's just like, this is just a scan, not data passing through it. If I pass data through it, well, this goes up even more. Oh, it didn't have too many more alerts, just a couple more. But you can see when you have this completely on, you start getting these. Now, if I actually had this externally facing, you would have a ton of rules. And then you have to go through and tune each rule. And that, like I said, can be very tedious. So we're going to go ahead and stop this over here. And actually, let's jump over to my house again. Now, this one's configured and I'm using the same basic premise here. We got all the rules enabled on the land side, no blocking. And this is like I said, at my house where I know there's people at my house, the kids and the wife are home and probably playing with stuff. And this is where you can see, and if you did, yes, it is on the land side because I want to see the internal, not external IPs of I want to go from inside out. You can do this on both snort. You can look at internals. You can look at externals. This way you can dig into this. And like I said, it's given me that information. It's given me the different things that are going Netflix, Chrome protocol. And at the same time, because it's identifying everything, because I said, basically watch everything and just notify me, that's what's giving us these things like this application ID and stuff like that. So kind of gives you an idea how snort works and how you may prefer to have all the rules using their pre-configured rules defined, makes it a lot easier. And playing with the pre-defined rules at home, I think I have it set up on here. Now I got this one, still turned on for this. When I've been playing with it, very few false positives. It's actually a very nice, clean system. And you can go through and still adjust the rules as needed based on the ones they have, or you can go crazy and try and see everything in a network. Now the other nice thing about running this in a lab, turning out all these rules can be very handy for trying to figure out what a box is doing. So you can turn in everything and try to figure out what's going on in there. I actually have some plans in some future videos where I do things like use some of the different probing tools to scan for vulnerabilities and see how this performs. And I wouldn't mind at some point doing a performance test between Seracada and Snort where I can build two lab machines and see which one sees more. Those are some future ideas I have, but hopefully this will get you started with Snort and get you playing around with it. And like I said, using just the built-in functionality they have here where you just use their built-in options, connectivity, security, save, done, it works really well and gets you going. So get you playing around with Snort and learning here and look for that future video. And if you have some ideas for that future video for how to get the logging externally and something that's nice and turnkey that's not a more complex project, let me know. And I'd be more than happy to take a look at the products. All right, well, thank you for watching. Hope you liked the content here. Like and subscribe.