Version 3 (modified by 6 years ago) ( diff ) | ,
---|
Pfsense with SNORT
The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface.
There are two ways of installing pfSense.
- Full installation
- Embedded Installation
For more details on pfSense installation you may refer previous workshop Here you are going deploy a pre-installed Oracle Virtual Box machine and a linux GUI box to configure SNORT and do some testing.
Setting up VM's
- You may download two ova file from here1, here2.
- Import them in to Oracle virtual box from File Import Appliance
- While importing make sure to Tick reinitialize the MAC address of all your network cards.
- Our lab network will be,
---LAN or WiFi Your Host Machine - - > Bridge Port -- - >ETH0 -- pfsense | ETH1 | Linux Box < - -
- Please double check your vm network connections before powering on them.
- If all settings are satisfying, power on both Virtual Machines.
Network Setup
Once they are booted go to your Linux Box and open the firefox browser.Go to https://192.168.1.1
- Default Credentials will be admin/pfsense
- You may change the WAN IP Address of your pfSense instance by visiting Interfaces > WAN
- Change IPv4 Configuration Type to Static IPv4.
- Enter your WAN address according to the table.
- Add a new Gateway with the ip address 192.248.6.254
- Do the same for IPv6 configurations, your gateway will be 2401:dd00:…..
At this point we may not change any LAN settings.
Snort
Lab pfsense is pre-installed with snort with default settings. But if you need to install it in your own instance, go to Package Manager and Search for snort from Available Packages list and install.
Once installed you can configure one of more instances of SNORT to run within pfSense. Each SNORT instance runs with individual settings and against a particular virtual interface.
Launching Snort configuration GUI
- To launch the Snort configuration application, navigate to Services > Snort from the menu in pfSense.
Setting up Snort package for the first time
- Click the Global Settings tab and enable the rule set downloads to use.
- Select Enable Snort GPLv2 , Enable ET Open, Enable OpenAppID, Enable RULES OpenAppID
(If either the Snort VRT or the Emerging Threats Pro rules are checked, a text box will be displayed to enter the unique subscriber code obtained with the subscription or registration.)
- Once the desired rule sets are enabled, next set the interval for Snort to check for updates to the enabled rule packages. Use the Update Interval drop-down selector to choose a rule update interval. In most cases every 12 hours is a good choice.
- The update start time may be customized if desired.
- Finally Save the configurations.