Monday, November 9, 2009

INSTALL IPS(SNORT) WITH PFSENSE

I/INTRO

Pfsense use snort as IPS( Snort Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. )

II/INSTALL

In This lab we need setup network with info:

Wan Interface:192.168.20.203
Lan Interface:172.16.1.1



STEP 1:Install pfsense as ip
STEP 2:Install snort(The package is available to install from System > Packages and you must only install SNORT or SNORT_DEV never both. It is strongly suggested you get a paid subscription form www.snort.org in order for you to download the latest rules. )
STEP 3:After Install done We configure snort(Services > Snort)click tab Setting and configure as image



Notes:

Block offenders:Pfsense will automatically block hosts that generate a snort alert
Remove blocked hosts every: It Will auto remove hosts from tab blocked
Oinkmaster code:you need register 1 Account in Snort or buy (http://www.snort.org/vrt/buy-a-subscription/ will get the the latest rule updates 30 days faster than registered users)


Step 4:click tab update rules(please waith about 4-10 minutes)

Step 5:Test before attack(ping external ip)


Step 6:user super scan tool scan ip external and check tab blocked


Step 7 :access agian ip external

Step 8:Delete ip attacker in tab blocked and test again


Beside You can use Blocking Skype ,Yahoo ,P2P.... with pfSense and Snort.I will intro later

2 comments:

  1. Hello..

    I/We (my group) have a project going on at school right now, which basically is to set up an IDS and IPS on a server, and try playing a bit with metasploit.
    ATM we are stucked about the fact that the "Blocked list" might not update right after an attack has been performed (in out case ICMP is used as well).
    Somewhere we have read that this might be a generel time limit, which takes 5-10 minutes to update the blocked section.
    Our question is of course whether you have occured this problem at your way during the process.

    Thanks'
    The Suspicious-wondering-team

    ReplyDelete
  2. Hello..

    I/We (my group) have a project going on at school right now, which basically is to set up an IDS and IPS on a server, and try playing a bit with metasploit.
    ATM we are stucked about the fact that the "Blocked list" might not update right after an attack has been performed (in out case ICMP is used as well).
    Somewhere we have read that this might be a generel time limit, which takes 5-10 minutes to update the blocked section.
    Our question is of course whether you have occured this problem at your way during the process.

    Thanks'
    The Suspicious-wondering-team

    ReplyDelete