Pfsense and snorby

0x00、 background

---

Hacker attacks are inevitable , I'm always floating in the rivers and lakes , There is no one who is not black （ No one can say that their network is absolutely safe ）. What if you get hacked ？？？ It must be the first time to fix the loophole and clear the back door ！ How to fix the vulnerability ？？？ The loophole is there again ？？？ This is the time to study IDS People come out ：

IDS： Full name: intrusion detection system . Professionally speaking IDS Is to follow a certain security policy , Through soft 、 Hardware , To the network 、 Monitor the operation of the system , Find out as many attacks as possible 、 The act or result of an attack , To ensure the confidentiality of network system resources 、 Integrity and availability .

IPS： Than IDS The taller one is IPS,IPS The full name is intrusion prevention system .IDS It's finding that you don't move ,IPS Is in IDS After discovering the attack attempt or behavior , Take action .

0x01 Pfsense&Snorby brief introduction

---

pfSense It's based on FressBSD, Open source version customized for firewall and router functions . It is installed on the computer and exists as a firewall and router in the network , And known for its reliability , And provide features that often only exist in expensive commercial firewalls ( Such as vpen、IDS、IPS).

Snorby It's a Ruby on Rails Of Web Applications , Network security monitoring and current popular intrusion detection system （Snort Project Suricata and Sagan） The interface of . The goal of the project is to create a free , Open source and competitive network monitoring applications , For private and business use .

0x02 Snorby Installation and deployment of

---

First, set the installation source （ To use epel Source ）

Snorby git Official website https://github.com/Snorby/snorby

Here's how to install , I won't go on and on .

See here for detailed installation ：http://hi.baidu.com/huting/item/7a60eb725e66cb206e29f6b8

（ Just install the first one .）

ad locum snorby Just analyze the data , Don't grab data , Grab data from pfsense Inside Suricata To grab . The captured data is saved to snorby Of the host server mysqld in ,snorby By calling native mysql Analyze the data in the database .

therefore Snorby Just put the server in pfsense Where you can visit .

Can I send it to the Internet ？？？ It should be OK , I didn't try here .

After installed , as follows ：（ Default user name ：[email protected], password ：snorby）

Failed to re upload and cancel the transfer

Click on it Settings, Here is a time setting （ It's important to pay attention to this , The wrong time is troublesome ）

Failed to re upload and cancel the transfer

The next one 500000 It's a very important parameter .（ This is a peak ）

Failed to re upload and cancel the transfer

0x03 pfsense Deployment and configuration of

---

Pfsense The installation of... Will not be introduced here , The Internet is full of .

Pfsense It's a firewall. It must be deployed at the boundary of the network ！ There's nothing to say about this .

A. Download and install Suricata software package

System->Packages, Here's the picture ：

Failed to re upload and cancel the transfer

Failed to re upload and cancel the transfer

Failed to re upload and cancel the transfer   Be careful ： Before doing this, set up dns, Otherwise, the domain name cannot be resolved , You can't download .

B. Global configuration （Global Settings）

After installation , stay Services Find Suricata, Configure it basically .

The interface is as follows

Failed to re upload and cancel the transfer

We started with Global Settings( Global settings ) Make basic settings , The global settings are divided into three parts .

1. Download rules  

Failed to re upload and cancel the transfer

There should be four options , The second and third is to code Of .

I don't know whether to apply for money , I haven't tried here .

2. Is the update setting of the rule

Failed to re upload and cancel the transfer

I set it here once a week .

3. General Settings

Failed to re upload and cancel the transfer

Here is a key setting .

Remove Blocked Hosts Interval What I set up here is 15 minute , The default is NEVER.

What does this mean ？？ In fact, this involves what will be mentioned later IPS, When IPS When a threat is found, the target will be added to Blocked, stay Blocked Inside ip The address will not be allowed to pass through the firewall .

I set up here 15 minute , That is to say 15 Clean up once Blocked Inside ip Address .

C. Other settings

Download rule library

Failed to re upload and cancel the transfer

It's already set up , Click here Check, Download rule file .

pass lists（ Here is a white list ）

Failed to re upload and cancel the transfer

Not much here , As mentioned below IPS I'm talking about this .

0x04 Pfsense+Snorby==IDS&IPS

---

Enable IDS function Pfsense Key configuration Add monitoring network card   Failed to re upload and cancel the transfer

I only have two network cards here , I chose WAN, Internet access .（ Check the box above ）

Failed to re upload and cancel the transfer

Set up Iface Categories

Failed to re upload and cancel the transfer

here , I choose all , Then save .（ You can choose according to your own needs ） Set up Iface Rules

Failed to re upload and cancel the transfer

Choose here Auto-Flowbit Rules( Automatic forwarding rules ), Then apply .

Set up iface Barnyard2( The key )

Failed to re upload and cancel the transfer

The one below enables mysql Is the key , Fill in here Snorby On the server mysql Information about

（ Be careful ：mysql To enable remote access , Each page above is configured once , want save once ）

Basic IDS Configuration is complete , Here's the picture .

Failed to re upload and cancel the transfer

Click the red fork above to start .

The effect after startup .

Failed to re upload and cancel the transfer

If it works , stay snorby You can see the effect above , The renderings are as follows ：

Failed to re upload and cancel the transfer

Let me scan it to see the effect , I use nmap Gently sweep down

Failed to re upload and cancel the transfer

I got it in the virtual machine , That's quite a card ！！！！！！

It 's bullshit ！ I can see directly that you use nmap Scanning .

Failed to re upload and cancel the transfer

Enable IPS function

stay WAN Settings There's a Alert Settings, Here's the picture ：

Failed to re upload and cancel the transfer

Select save after setting , And then restart Suricata take effect .

The second hook is very domineering , Discover sth ip There are dangerous , Directly disconnect all from this ip The connection of .

IPS Here we focus on the setting of the white list

First step 、 Set up aliases

Firewall Below Aliases( Add... Yourself )

Failed to re upload and cancel the transfer

The second step 、 Set up Pass Lists

Failed to re upload and cancel the transfer

Failed to re upload and cancel the transfer

Save,

stay WAN Settings Set it up inside

Failed to re upload and cancel the transfer

Click save , restart Suricata take effect .

There is one last setting , It's sealed ip When to unseal .

As mentioned above Global Settings Inside General Settings.

Failed to re upload and cancel the transfer

The setting here is 15 minute .

That is to say 15 Minutes later , Sealed ip Automatically unsealed .

explain ： The purpose of this paper is , You can configure it according to your own needs . The article is not very detailed , If you write in detail , It's estimated that 20 Incoming page .

This article comes from the dark cloud knowledge base , This image is for the convenience of your study and research , The copyright of this article belongs to Wuyun knowledge base ！

---