Now comes the joy of using the pfsense system created in the first tutorial as we now have our own little internal cut off system from the rest of the world contained on our machine, I used to use host-only networking here but that leaks and you can actually see the connections going through your system with tools like tcpview for example.
I noticed the internal adapter did not show up so I have stuck with it ever since, at the end of the day it’s like using a hub except it’s virtual if you use the host only adapter.
So let’s get to testing with a local ICMP rule to check and alert you when someone ping’s your system.
sudo vi /etc/snort/rules/local.rules
Paste in the following rule and then save the file
alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000009; rev:001;)
Run the snort test again and make sure it saved with:
sudo snort -T -c /etc/snort/snort.conf
Looking through the output you should then see the following showing that one rule has been loaded and it is an ICMP rule
Now run the following command in order to test your configuration so far before you go further down the rabbit hole:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth1
And on your pfsense box ping your snort IDS IP and you should then see some activity here after you have done this
On your snort machine you will see the following result which matches the source and destination IP’s of our pfsense machine and our snort machine
That’s it for this tutorial, well done for getting this far, it’s wise to make a snapshot now before we install and create the MYSQL database and install baryard2.