2667
Comment:
|
3884
|
Deletions are marked like this. | Additions are marked like this. |
Line 11: | Line 11: |
Install Suricata on the pfSense box. For that purpose you may use the documentation from [[https://docs.netgate.com/pfsense/en/latest/index.html]]. The steps are not labeled, but let me give you a few hints: | Install Suricata on the pfSense box. You may use the documentation from [[https://docs.netgate.com/pfsense/en/latest/index.html|NetGate]] (be aware that it does not have a specific Suricata install page, but instead points you to the Snort docs). I followed the steps below: /* I found [[https://elatov.github.io/2016/11/setup-suricata-on-pfsense/|this]] site to be useful as well */: |
Line 16: | Line 17: |
1. You will need to setup an account for the GeoLite2 database follow the directions on this pfSense page. 1. Section 1 [[attachment:Suricata Setup 1.png]] 1. Section 2 [[attachment:Suricata Setup 2.png]] 1. Near the end, I got hung up on "Assigned Aliases" because there is no "ALIASES" button. Instead you can find Aliases listed under the Firewall menu. |
1. You will need to setup an account for the !GeoLite2 database follow the directions on this pfSense page. 1. [[attachment:Suricata Setup 1.png|Rules Setup 1]] 1. [[attachment:Suricata Setup 2.png|Rules Setup 2]] 1. The rest of the Global Settings setup should be intuitive to you! 1. Under Services -> Suricata -> Updates: Update your rules (they haven't been downloaded yet) 1. Under Services -> Suricata -> Pass Lists: Leave default and save. 1. Near the end, I didn't use "Assigned Aliases" because there are no "Aliases" in my system at this point. 1. Under Services -> Suricata -> Supress: Eventually you will want to add some rules here, so that your system doesn't get overwhelmed with log entries. Connsider adding: 1. Invalid Checksum rules for IPv4 and IPv6. 1. Under Services -> Suricata -> Interfaces: Add the WAN interface. Choose default (I didn't change anything yet) and save it. 1. Under WAN Categories, Select some appropriate rule sets to enable. 1. Under Wan Rules, Review what is enabled and disabled (I enabled all to start with) 1. At this point we are ready to start Suricata on the WAN interface. Under Services -> Suricata -> Interfaces: Push the green play button You can now go to the logs view and see what is being logged. Play around a bit with it. Read what the rules actually do (explore). When you are ready create the video as described below. |
Line 37: | Line 49: |
== Figures == |
Lab 07 IDS/IPS with Suricata and pfSense
Introduction
Many users seem to think you can just install the Snort package and forget about it and your network will be protected. That's not true. You have to install the package, enable some rules, then start disabling false positives or adding suppress list entries for them. You have to analyze what types of assets you are protecting (web servers, mail servers, database servers, etc.) and set up either package keeping the defended networks/servers in mind. You set things like ports, operating system types, etc. Then you make sure the proper rules are active.
This lab introduces you to Suricata.
Lab Goal
Install Suricata on the pfSense box. You may use the documentation from NetGate (be aware that it does not have a specific Suricata install page, but instead points you to the Snort docs). I followed the steps below: