Lab 6.3.4: Implement Intrusion Prevention [WLOs: 3, 4] [CLOs: 3, 4]

 

1. Sign in to the pfSense management console.
   1. In the Username field, enter admin.
   2. In the Password field, enter P@ssw0rd (zero).
   3. Select SIGN IN or press Enter.
2. Access the Snort Global Settings.
   1. From the pfSense menu bar, select Services > Snort.
   2. Under the Services breadcrumb, select Global Settings.
3. Configure the required rules to be downloaded.
   1. Select Enable Snort VRT.
   2. In the Sort Oinkmaster Code field, enter 359d00c0e75a37a4dbd70757745c5c5dg85aa. You can copy and paste this from the scenario.
   3. Select Enable Snort GPLv2.
   4. Select Enable ET Open.
4. Configure the Sourcefire OpenAppID Detectors to be downloaded.
   1. Under Sourcefire OpenAppID Detectors, select Enable OpenAppID.
   2. Select Enable RULES OpenAppID.
5. Configure when and how often the rules will be updated.
   1. Under Rules Update Settings, use the Update Interval drop-down menu to select 1 Day.
   2. For Update Start Time, change to 01:00.
   3. Select Hide Deprecated Rules Categories.
6. Configure Snort General Settings.
   1. Under General Settings, use the Remove Blocked Hosts Interval drop-down menu to select 1 HOUR.
   2. Select Startup/Shutdown Logging.
   3. Select Save.
7. Configure the Snort Interface settings for the WAN interface.
   1. Under the Services breadcrumb, select Snort Interfaces and then select Add.
   2. Under General Settings, make sure Enable interface is selected.
   3. For Interface, use the drop-down menu to select WAN (CorpNet_pfSense_L port 1).
   4. For Description, use WANSnort.
   5. Under Alert Settings, select Send Alerts to System Log.
   6. 1. Select Block Offenders.
      2. Scroll to the bottom and select Save.
   7. Start Snort on the WAN interface.
      1. Under the Snort Status column, select the arrow.
      2. Wait for a checkmark to appear, indicating that Snort was started successfully.