Snort Intrusion Detection / Prevention System on PFSense Firewall

Gant chart

Task on every stage :
Analysis & Design
1. Draft Environment
2. Install needed ISO

Development
1) Setup the environment
1. Setup virtual switches in VMware Workstation
a. Vmnet2 -Host only with Subnet 192.168.40.0/24
b. Vmnet3 -Host only with Subnet 192.168.50.0/24

2. Setup victim webserver machine
a. Setup Centos 7 virtual machine
b. Setup web service with basic authentication
i. Install httpd
Command used : yum install -y httpd
ii. Enable Basic Authentication to limit access on specific web
pages which is http://192.168.40.200/auth-basic/
Command used : nano /etc/httpd/conf.d/auth_basic.conf
<Directory /var/www/html/auth-basic>
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>
iii. use htpasswd command to create user account
Command used : htpasswd -c /etc/httpd/conf/.htpasswd web
c. Configure networking
i. Static IP : 192.168. 40.200
ii. Netmask :255.255.255.0
iii. Gateway :192.168.40.250

3. Setup attacker machine
a. Setup Kali Linux virtual machine
b. Configure networking
i. Static IP : 192.168. 50.11
ii. Netmask :255.255.255.0
iii. Gateway :192.168.50.250

4. Setup normal user machine
a. Setup Windows 8 machine
b. Configure networking
i. Static IP : 192.168. 50.100
ii. Netmask :255.255.255.0
iii. Gateway :192.168.50.250

5. Setup PFSense Firewall
a. Setup PFSense machine
b. Add network adapter
i. DMZ interface for victim network (Vmnet2)
ii. LAN interface for attacker network (Vmnet3)
iii. WAN interface used to access internet (NAT)

2) Install Snort on PFSense as an Intrusion Prevention System

1. Install snort package form package manger on PFSense
2. Using your account to login on snort web site and generates Onikcode
3. From Global settings menu enter Oinkcode to download Snort VRT rules.
4. Click on the Update button to install rules on the snort
We have installed snort community ,VRT ,emerging threats rules.
5. Ensuring a white listing of IP's
a. create an Alias
b. create a Pass list

3) Configure Snort to defend against the http-brute force attack

1. Configure snort on interfaces for port scan detection
a. Add interface LAN
b. edit the interface configuration LAN Categories
c. Select desirable rules from this comprehensive list for LAN interface
Check all Snort GPLv2 Community Rules

d. Add custom rules for detect http-brute force attack
alert tcp !$HOME_NET any -> 192.168.40.200 80 (msg:"Login
attempt to web server";content:"Authorization";sid:1000990)
Testing

1. Perform http-brute force attack
Use Nmap tool :
Loading Nmap Script Engine and use http-brute script
The http-brute script uses, by default, the database
files usernames.lst and passwords.lst located at /nselib/data/
to try each password, for every user, to hopefully find a valid
account.
Command used : nmap -script http-brute -p 80 192.168.40.200 -d --
script-args http-brute.path=/auth-basic/
1. Analyze Packets using Wireshark
2. Checked Alert
3. Checked blocked host
the offending host will be blocked for 30-minute , non-offending will
still be able to access the webserver during block period


Software used :
 VMware Workstation 15 Pro
 Centos 7
 Windows 8
 Kali Linux
 Wireshark
 PFSense
 Snot package