Lab 07 IDS/IPS with Snort and pfSense

Introduction

Many users seem to think you can just install the Snort package and forget about it and your network will be protected. That's not true. You have to install the package, enable some rules, then start disabling false positives or adding suppress list entries for them. You have to analyze what types of assets you are protecting (web servers, mail servers, database servers, etc.) and set up either package keeping the defended networks/servers in mind. You set things like ports, operating system types, etc. Then you make sure the appropriate pre-processors are enabled and that the proper rules are active.

This lab introduces you to snort. Here are some questions you should be able to answer about snort after you complete this lab and do some research.

  1. What are the 5 major components of snort?
  2. What is pulled pork?
  3. What does snort not provide as far as a GUI interface?
  4. Where is the GUI(s) for snort?
  5. What is Barnyard2?

Lab Goal

Install snort on the pfSense box. For that purpose you may use the documentation from pfSense. The steps are not labeled, but let me give you a few hints:

  1. You have to install the package (Under System) first.
  2. You will need to setup an account on snort.org to get an oinkmaster code (hint: its in your profile).
  3. Near the end, I got hung up on "Assigned Aliases" because there is no "ALIASES" button. Instead you can find Aliases listed under the Firewall menu.

Show Me

  1. Show me your configuration:
    1. Walk me through your snort interfaces
      1. WAN Settings
      2. WAN Categories
      3. WAN Rules
    2. Walk me through the Global Settings (identify what you changed)
    3. Show me that your rule sets where updated after the Lab assignment was given.
  2. You man not have any alerts on your snort box yet because it is deeply buried behind layers of security already. For 50% of the lab points:

    1. Pick a rule that you have enabled (or that was enabled for you)
    2. Show that there is no alert for it.
    3. Try to violate the rule.
    4. Show that an alert has been logged.