Differences between revisions 1 and 13 (spanning 12 versions)
Revision 1 as of 2017-03-14 20:51:35
Size: 2269
Editor: scot
Comment:
Revision 13 as of 2021-03-25 14:08:25
Size: 3776
Editor: scot
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Lab 07 IDS/IPS with Snort and pfSense = = Lab 07 IDS/IPS with Suricata and pfSense =
Line 5: Line 5:
Many users seem to think you can just install the Snort package and forget about it and your network will be protected. That's not true. You have to install the package, enable some rules, then start disabling false positives or adding suppress list entries for them. You have to analyze what types of assets you are protecting (web servers, mail servers, database servers, etc.) and set up either package keeping the defended networks/servers in mind. You set things like ports, operating system types, etc. Then you make sure the appropriate pre-processors are enabled and that the proper rules are active. Many users seem to think you can just install the Snort package and forget about it and your network will be protected. That's not true. You have to install the package, enable some rules, then start disabling false positives or adding suppress list entries for them. You have to analyze what types of assets you are protecting (web servers, mail servers, database servers, etc.) and set up either package keeping the defended networks/servers in mind. You set things like ports, operating system types, etc. Then you make sure the proper rules are active.
Line 7: Line 7:
This lab introduces you to snort. Here are some questions you should be able to answer about snort after you complete this lab and do some research.

 1. What are the 5 major components of snort?
 1. What is pulled pork?
 1. What does snort not provide as far as a GUI interface?
 1. Where is the GUI(s) for snort?
 1. What is Barnyard2? 		This lab introduces you to Suricata.
Line 17: Line 11:
Install snort on the pfSense box. For that purpose you may use the documentation from [[https://doc.pfsense.org/index.php/Setup_Snort_Package|pfSense]]. The steps are not labeled, but let me give you a few hints: Install Suricata on the pfSense box. You may use the documentation from [[https://docs.netgate.com/pfsense/en/latest/index.html|NetGate]] (but be aware that it does not have a specific suricata install page, but instead points you to the snort docs. I followed the steps below:
Line 19: Line 13:
 1. You have to install the package (Under System) first.
 1. You will need to setup an account on snort.org to get an oinkmaster code (hint: its in your profile).
 1. Near the end, I got hung up on "Assigned Aliases" because there is no "ALIASES" button. Instead you can find Aliases listed under the Firewall menu. 		 1. Under System -> Package Manager -> Available Packages -> Surricata (install)
 1. Under Services -> Suricata -> Global Settings: Setup the rules
    1. You will need to setup an account on snort.org to get an oinkmaster code (hint: its in your profile), follow the link and directions on this pfSense page
    1. You will need to setup an account for the !GeoLite2 database follow the directions on this pfSense page.
    1. [[attachment:Suricata Setup 1.png|Rules Setup 1]]
    1. [[attachment:Suricata Setup 2.png|Rules Setup 2]]
    1. The rest of the Global Settings setup should be intuitive to you!
 1. Under Services -> Suricata -> Updates: Update your rules (they haven't been downloaded yet)
 1. Under Services -> Suricata -> Pass Lists: Leave default and save.
    1. Near the end, I didn't use "Assigned Aliases" because there are no "Aliases" in my system at this point.
 1. Under Services -> Suricata -> Supress: Eventually you will want to add some rules here, so that your system doesn't get overwhelmed with log entries. Connsider adding:
    1. Invalid Checksum rules for IPv4 and IPv6.
 1. Under Services -> Suricata -> Interfaces: Add the WAN interface. Choose default (I didn't change anything yet) and save it.
    1. Under WAN Categories, Select some appropriate rule sets to enable.
    1. Under Wan Rules, Review what is enabled and disabled (I enabled all to start with)
 1. At this point we are ready to start Suricata on the WAN interface. Under Services -> Suricata -> Interfaces: Push the green play button

You can now go to the logs view and see what is being logged. Play around a bit with it. Read what the rules actually do (explore). When you are ready create the video as described below.
Line 25: Line 34:
I am starting to add time limits to these labs. It should take you less than 2 minutes to show me the required material. Videos longer than 2 minutes will have points deducted 1 for every 5 seconds. Include voice over in your video to talk me through the elements.
Line 26: Line 37:
    1. Walk me through your snort interfaces     1. Walk me through your Suricata interfaces
Line 29: Line 40:
       1. WAN Rules        1. WAN Rules - make sure they reflect what is needed to protect your system.
Line 31: Line 42:
    1. Show me that your rule sets where updated after the Lab assignment was given.     1. Show me that your rule sets were updated after the Lab assignment was given.
Line 36: Line 47:
    1. Show that an alert has been logged.           1. Show that an alert has been logged and that the offending IP has been blocked.

Lab 07 IDS/IPS with Suricata and pfSense

Introduction

Many users seem to think you can just install the Snort package and forget about it and your network will be protected. That's not true. You have to install the package, enable some rules, then start disabling false positives or adding suppress list entries for them. You have to analyze what types of assets you are protecting (web servers, mail servers, database servers, etc.) and set up either package keeping the defended networks/servers in mind. You set things like ports, operating system types, etc. Then you make sure the proper rules are active.

This lab introduces you to Suricata.

Lab Goal

Install Suricata on the pfSense box. You may use the documentation from NetGate (but be aware that it does not have a specific suricata install page, but instead points you to the snort docs. I followed the steps below:

  1. Under System -> Package Manager -> Available Packages -> Surricata (install)

  2. Under Services -> Suricata -> Global Settings: Setup the rules

    1. You will need to setup an account on snort.org to get an oinkmaster code (hint: its in your profile), follow the link and directions on this pfSense page

    2. You will need to setup an account for the GeoLite2 database follow the directions on this pfSense page.

    3. Rules Setup 1

    4. Rules Setup 2

    5. The rest of the Global Settings setup should be intuitive to you!

  3. Under Services -> Suricata -> Updates: Update your rules (they haven't been downloaded yet)

  4. Under Services -> Suricata -> Pass Lists: Leave default and save.

    1. Near the end, I didn't use "Assigned Aliases" because there are no "Aliases" in my system at this point.

  5. Under Services -> Suricata -> Supress: Eventually you will want to add some rules here, so that your system doesn't get overwhelmed with log entries. Connsider adding:

    1. Invalid Checksum rules for IPv4 and IPv6.

  6. Under Services -> Suricata -> Interfaces: Add the WAN interface. Choose default (I didn't change anything yet) and save it.

    1. Under WAN Categories, Select some appropriate rule sets to enable.
    2. Under Wan Rules, Review what is enabled and disabled (I enabled all to start with)

  7. At this point we are ready to start Suricata on the WAN interface. Under Services -> Suricata -> Interfaces: Push the green play button

You can now go to the logs view and see what is being logged. Play around a bit with it. Read what the rules actually do (explore). When you are ready create the video as described below.

Show Me

I am starting to add time limits to these labs. It should take you less than 2 minutes to show me the required material. Videos longer than 2 minutes will have points deducted 1 for every 5 seconds. Include voice over in your video to talk me through the elements.

  1. Show me your configuration:
    1. Walk me through your Suricata interfaces
      1. WAN Settings
      2. WAN Categories
      3. WAN Rules - make sure they reflect what is needed to protect your system.
    2. Walk me through the Global Settings (identify what you changed)
    3. Show me that your rule sets were updated after the Lab assignment was given.

  2. You man not have any alerts on your snort box yet because it is deeply buried behind layers of security already. For 50% of the lab points:

    1. Pick a rule that you have enabled (or that was enabled for you)
    2. Show that there is no alert for it.
    3. Try to violate the rule.
    4. Show that an alert has been logged and that the offending IP has been blocked.

NetworkSecurity/Lab/Lab07 (last edited 2021-05-09 13:48:01 by scot)