Installing pfSense and setting Suricata/Snort rules

The first thing we will need to do is setup our virtual environment. My personal preference is to use VMware workstation however you can also use Virtual Box which is another free application. To download Vmware Workstation Player you will want to go out to https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html at the bottom of the page you will find the download file.

Once you have downloaded and installed Vmware Workstation you will now need the ISO file to install pfSense. Navigate out to the pfSense website https://www.pfsense.org/download/ to download the latest version.

The ISO file will come in an .gz file which we will need to unzip. I have 7Zip installed on my computer which I use to unzip files. Once unzipped you will have the ISO file which we can use in our virtual machine.

Now you will want to open up VMware Workstation and select the option "Create a New Virtual Machine" When Prompted you will want to locate the ISO file on your computer. Once we select the ISO file we can name the virtual machine. I decided to name it pfSense Lab. Since this is going to be a test lab we can set the hard drive size to 5 GB

Once you click to create the virtual machine it will automatically launch. Follow the pfSense setup to initialize the machine.

Once you have gone through the installed you will want to reboot the machine. Once you have rebooted the machine you should be promoted first with the screen below asking if you would like to setup VLANs. For now we are going to select No by typing "n"

After this you will be asked to enter a WAN interface name. You will want to type em0 and when asked about the LAN Ips we can just click enter. Finally you will be brought to an option asking if you would like to proceed. Which we will type "y"

Now it will begin to setup your pfSense. Once it is done being setup you will be brought to the screen below. Instead of using the options on this screen lets go out to the IP provided and use the GUI of pfSense.

Open up your preferred browser and paste the IP address provided on your setup. It should take you out to a login screen. The default login for pfSense is username: admin and pfsense as the password. We will want to change this once we get logged in.

Now that we are logged in we will be brought to the pfSense setup wizard. Follow the instructions through the setup wizard and adjust any details to your liking. Below are my settings I used when going through the setup wizard. After step two you can leave the other configuration default.

Once you are done with the setup wizard you will be brought to the pfsense dashboard. In theory the first thing we will want to do is change our admin password. Since this is just a lab. I did not go through that setup but you should be able to click on the link at the top of the dashboard to change it.

Now that we have pfSense installed and running. We will want to install Suricata or Snort. These are both great plugins that can be installed on your pfSense to give you an intrusion Detection System/Intrusion Prevention System. I am going to walk you through installing Suricata now. To install the plugin you will want to click on the system button on the top of your screen and go to package manager. Once you are at your package manager you will want to click on available packages and search for suricata. Once you find the plugin click on install.

Once installed we will want to go over to the services tab and select suricata to begin setting up the plugin rules. Once Suricata is open we will want to go to the global settings. In the global settings we will setup the ETO threat rules. From the screenshot below you can see the settings I have selected for this. Everything below the screenshot can be left on default.

NOTE: the custom rule URL must match the version of suricata you are running https://rules.emergingthreats.net/open/suricata-6.0.4_1/emerging.rules.tar.gz As you can see in this link we are running 6.0.4_1

Once we save these settings we will want to update the rules. Go over to the update tab once in that section select the button to update. Once the update is complete you will see your rule sets listed.

Now we will want to setup the interface. Since there is only one interface we will select the WAN to setup. All the settings can be left at default however it is good to note that blocking offenders is off and I think this is a good option to leave off for the first couple of weeks while you go through the tunning as there may be false positives that are block.

Once you selected save. More options will appear at the top of the interface. Now we will go into the WAN categories to select the rules sets. I have decided to select all please beware though this may cause more false positives that you will have to tune out.

Now that we have all the rules selected you can go back to the interface tab and click on the play button to start Suricata.

Now that Suricata is running we can go into the alerts tab to see what is being triggered and if we would like to block it. This is where your rule tunning will come into play. Since the system is in a virtual machine with nothing behind it there are no logs.