@juniper said in snort and span interface:
@bmeeks said in snort and span interface:
@juniper said in snort and span interface:
Hi,
is it possible to use pfsense snort with a span interface as sensor?
thanks in advance
No, that configuration is not supported. If you want to do something like that, I recommend a dedicated FreeBSD or Linux machine running the base Snort package from whichever distro you choose the OS from. There would be no GUI, though.
Thank you!
Just to clarify,
I have a pfsense firewall with snort on a wan bridge (but in this way i can't check https traffico), my needing is to analyze http traffic over a reverse proxy (reverse to private network, reverse https to private network http), if i undestrand the only way is to create another bridge?
Bridges can get very messy, and Snort really does not understand those (meaning the Snort package on pfSense) as it's not designed and plumbed up operate with that configuration on the interface. It expects a traditional single network interface. Not saying you might not could get it to somewhat work with duct tape, baling wire, and glue, but it's not a setup I would recommend.
For your setup, I would lean more toward the span port option using a separate and dedicated Unix-type distro to run Snort. And I mean Snort as a package from that Unix distro and NOT the GUI package used on pfSense. That would mean interacting with Snort via the CLI.