In IDS Basics Guided exercise, the Windows Firewall needs to be turned off in Public network.
Hint: Questions 1 and 2 rely on the /etc/snort/rules/local.rules created in the lab.
I needed to use /etc/snort/snort.conf to get the correct answer for question 2.
Thanks! We just made some updates to this lab a few days ago. It looks like the Windows Firewall is deactivated in the base image for the lab, but Windows is helpfully turning it on anyways. We’ve added a step to manually ensure it is disabled.
Regarding the Challenge Exercise - snort.conf includes local.rules, and you should get the same answer if you use -c /etc/snort/rules/local.rules or -c /etc/snort/snort.conf. However, for some reason that we can’t explain, there is a difference in the alert count depending on which one you use, so we’re going to accept both answers (there is a difference of 1 alert).