How to Configure Snort for Intrusion Detection on FreeBSD Operating System

Introduction

In today’s increasingly hostile network environment, intrusion detection systems (IDS) play a vital role in identifying potential security breaches and suspicious network activity. Snort, an open-source network intrusion detection and prevention system, has established itself as one of the most widely deployed IDS solutions worldwide. Its flexibility, robust detection capabilities, and active community support make it an excellent choice for organizations looking to enhance their security posture.

FreeBSD, with its stability, performance, and security focus, provides an excellent platform for deploying Snort. This comprehensive guide will walk you through the process of installing, configuring, and optimizing Snort on a FreeBSD system to create an effective intrusion detection solution.

Understanding Snort

Before diving into the installation and configuration process, it’s important to understand what Snort is and how it works.

What is Snort?

Snort is a network intrusion detection and prevention system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform:

• Protocol analysis
• Content searching/matching
• Detection of various attacks and probes (buffer overflows, stealth port scans, CGI attacks, etc.)
• Real-time alerting

Snort Operational Modes

Snort can operate in three primary modes:

1. Sniffer Mode: Simply reads and displays packets on the console.
2. Packet Logger Mode: Logs packets to disk for later analysis.
3. Network Intrusion Detection Mode: The most complex and configurable mode, analyzing network traffic for matches against a user-defined rule set and performing specified actions when matches are found.

Prerequisites

Before installing Snort on FreeBSD, ensure you have:

• A FreeBSD system (version 12.0 or later recommended)
• Root or sudo access
• An understanding of basic networking concepts
• At least 2GB of RAM and 10GB of free disk space
• A dedicated network interface for monitoring (recommended for production environments)

Installation Process

Step 1: Update Your FreeBSD System

Begin by ensuring your FreeBSD system is up-to-date:

freebsd-update fetch
freebsd-update install
pkg update && pkg upgrade

Step 2: Install Snort from Ports or Packages

FreeBSD offers two methods to install Snort: via packages or ports. The package method is faster, while the ports method offers more customization options.

Using Packages (Simpler Method):

pkg install snort

Using Ports (More Customizable):

cd /usr/ports/security/snort
make config

This will display a configuration menu where you can select additional options.

make install clean

Step 3: Install Required Dependencies

Ensure all dependencies are installed, particularly if you need database support:

pkg install mysql80-server mysql80-client p5-DBI p5-DBD-mysql

For improved performance, consider installing DAQ (Data Acquisition library):

pkg install libdaq

Basic Configuration

After installation, Snort requires configuration to function properly.

Step 1: Create Configuration Directories

Create directories for Snort configuration files and logs:

mkdir -p /usr/local/etc/snort
mkdir -p /var/log/snort
chmod 700 /var/log/snort

Step 2: Configure Network Variables

Edit the Snort configuration file:

ee /usr/local/etc/snort/snort.conf

Set your network variables at the beginning of the file:

# Set your home network - this should be the network you're protecting
ipvar HOME_NET 192.168.1.0/24

# Set external network - typically any network outside your own
ipvar EXTERNAL_NET !$HOME_NET

# Server definitions - these help Snort know what to monitor
ipvar DNS_SERVERS $HOME_NET
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar SSH_SERVERS $HOME_NET

Adjust these values according to your network topology.

Step 3: Configure Rule Paths

Still in the snort.conf file, locate the rule path section and update it:

# Path to rules files
var RULE_PATH /usr/local/etc/snort/rules
var SO_RULE_PATH /usr/local/etc/snort/so_rules
var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules

Step 4: Create Required Directories

Create the directories specified in your configuration:

mkdir -p /usr/local/etc/snort/rules
mkdir -p /usr/local/etc/snort/so_rules
mkdir -p /usr/local/etc/snort/preproc_rules

Downloading and Configuring Rules

Snort relies on rules to detect intrusion attempts and other suspicious activities.

Step 1: Register for a Snort Account

Visit snort.org and register for a free account to access the official ruleset.

Step 2: Download Snort Rules

After registration, download the latest ruleset tarball from the Snort website. Transfer it to your FreeBSD server and extract it:

tar -xvzf snortrules-snapshot-*.tar.gz -C /usr/local/etc/snort

Step 3: Update Configuration for Rules

Make sure your snort.conf includes references to the relevant rule files:

# Community Rules
include $RULE_PATH/community.rules

# Snort Rules
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
# ... (include other rule files as needed)

Step 4: Configure Preprocessors

Preprocessors help Snort analyze traffic more effectively before rule evaluation:

# HTTP Inspect - Normalize HTTP traffic
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 \
    max_gzip_mem 104857600

preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 8080 8000 } \
    oversize_dir_length 500 \
    server_flow_depth 0 \
    client_flow_depth 0

# Stream5 - Track TCP sessions
preprocessor stream5_global: track_tcp yes, \
    track_udp yes, \
    track_icmp no, \
    max_tcp 262144, \
    max_udp 65535

preprocessor stream5_tcp: policy windows, \
    detect_anomalies, \
    overlap_limit 10, \
    max_queue_events 32

Advanced Configuration

Setting Up Performance Optimizations

For better performance, especially on busy networks:

# Set packet acquisition mode
config daq: afpacket
config daq_mode: inline

# Performance settings
config detection: search-method ac-split search-optimize max-pattern-len 20

# Set the number of packet processing threads (adjust based on your CPU cores)
config max_attribute_hosts: 10000
config max_attribute_services_per_host: 10

# Set the run mode to activate packet processing threads
config detection_filter_memcap: 256

Configuring Output Plugins

Snort offers several output options. Configure them according to your needs:

# Unified2 output - the standard for Snort logs
output unified2: filename snort.log, limit 128

# Optional: Log to a database for easier analysis
# output database: log, mysql, user=snort password=YOUR_PASSWORD dbname=snort host=localhost

Setting Up Alerting

Configure how you want to receive alerts:

# Alert output to a file
output alert_fast: alert.fast

# Optional: Send alerts via syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

Testing Your Configuration

Before deploying Snort in a production environment, test your configuration:

Step 1: Validate Configuration

Check for syntax errors in your configuration:

snort -T -c /usr/local/etc/snort/snort.conf

If the test runs without errors, your configuration is valid.

Step 2: Test With Packet Capture

Run Snort with packet capture to see if it detects any traffic:

snort -A console -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i em0

Replace em0 with your network interface name.

Integrating Snort with FreeBSD Services

Setting Up as a FreeBSD Service

Create a startup script for Snort:

ee /usr/local/etc/rc.d/snort

Add the following content:

#!/bin/sh
#
# PROVIDE: snort
# REQUIRE: LOGIN
# KEYWORD: shutdown

. /etc/rc.subr

name="snort"
rcvar=snort_enable

load_rc_config $name

: ${snort_enable="NO"}
: ${snort_interface="em0"}
: ${snort_conf="/usr/local/etc/snort/snort.conf"}
: ${snort_flags="-D -q"}

command="/usr/local/bin/snort"
command_args="-A unified2 -i ${snort_interface} -c ${snort_conf} ${snort_flags}"
pidfile="/var/run/${name}.pid"

run_rc_command "$1"

Make the script executable:

chmod +x /usr/local/etc/rc.d/snort

Enable the service in /etc/rc.conf:

echo 'snort_enable="YES"' >> /etc/rc.conf

Start the service:

service snort start

Setting Up Log Rotation

Create a newsyslog configuration for Snort logs:

ee /etc/newsyslog.conf.d/snort

Add the following:

# logfilename                   [owner:group]    mode count size  when  flags [/pid_file] [sig_num]
/var/log/snort/alert.fast       snort:snort      640  3     100   *     JN
/var/log/snort/snort.log.*      snort:snort      640  3     100   *     JN

Real-time Monitoring and Analysis

Setting Up a Basic Dashboard

For real-time monitoring, consider installing ACID (Analysis Console for Intrusion Databases) or Snorby:

pkg install apache24 php74 php74-mysql php74-gd php74-pdo php74-pdo_mysql

Follow the specific installation instructions for your preferred dashboard software.

Regular Rule Updates

Keep your Snort rules updated regularly:

# Create an update script
ee /usr/local/sbin/update-snort-rules.sh

Add content to download and apply new rules:

#!/bin/sh
cd /tmp
wget -O snortrules-snapshot-current.tar.gz 'https://www.snort.org/downloads/community/snortrules-snapshot-current.tar.gz' --user=YOUR_OINKCODE --password=YOUR_PASSWORD
tar -xvzf snortrules-snapshot-current.tar.gz -C /usr/local/etc/snort
service snort restart

Make the script executable and add it to cron for regular updates:

chmod +x /usr/local/sbin/update-snort-rules.sh
echo "0 0 * * 0 root /usr/local/sbin/update-snort-rules.sh" >> /etc/crontab

Tuning and Optimization

Reducing False Positives

After running Snort for a while, review the alerts and tune the rules:

1. Identify frequent false positives
2. Edit the corresponding rule files to disable or modify problematic rules
3. Use the threshold.conf file to limit alert frequency

ee /usr/local/etc/snort/threshold.conf

Add threshold settings:

# Limit certain alerts by threshold
# Format: threshold gen_id sig_id type track count seconds
threshold gen_id 1, sig_id 1851, type threshold, track by_src, count 5, seconds 60

Performance Tuning

For busy networks, adjust these settings:

# Increase buffer size
config pkt_count: 1000

# Set a higher memory limit for pattern matching
config pattern_perf_stats: dump all 1000

Troubleshooting Common Issues

Snort Not Starting

Check the system logs:

tail /var/log/messages

Verify permissions:

ls -la /var/log/snort
ls -la /usr/local/etc/snort

High CPU Usage

Optimize your rules and preprocessors:

1. Disable unnecessary rules
2. Adjust stream5 preprocessor settings
3. Consider using hardware acceleration if available

Missing Alerts

Check that your interface is in the correct mode:

ifconfig em0 promisc

Verify that Snort is monitoring the correct interface:

ps aux | grep snort

Conclusion

Configuring Snort on FreeBSD provides a powerful intrusion detection solution for your network. By following this guide, you’ve established a solid foundation for network security monitoring. Remember that effective intrusion detection requires ongoing maintenance and tuning—regularly update your rules, monitor alerts, and adjust your configuration to match your evolving network environment.

With proper configuration and regular maintenance, Snort on FreeBSD can significantly enhance your security posture, providing early warning of potential security incidents and valuable forensic information for incident response. As your experience with Snort grows, you can further customize and optimize your implementation to better protect your specific network environment.