Problem to detect internal portscan to firewall LAN IP
-
Hi!
Snort runs well but I have a (small) problem.
On my lan side there are some dangerous people (I can not remove them).
I did a p2p-block and this is working as long as I am using the Home Net:default or I include the LAN-Network in a manual pass-list. But with included LAN-network I can not see a portscan to the firewall IP. If I remove the LAN /24 from the passlist I can see the port-scan but the p2p-block will not work anymore ...
Any idears?
-
If the misbehaving machines are on your LAN, then there is only a limited amount of mitigation you can do at the firewall. But I would not be overly concerned about an internal port scan. Snort's port scan preprocessor is a bit finicky anyway, and is prone to false triggering.
In your setup, the local LAN hosts are not getting blocked but any p2p destination IP they communicate with gets blocked. That's about the best you can hope for with Legacy Mode.
If your NIC is supported for Inline IPS Mode, you can switch to that providing you are not using VLANs. That mode does not use nor require a pass list as it drops individual packet flows instead of blocking the host's IP address. So much less of a large hammer combatting the problem .
If you switch to Inline IPS Mode, consult the two Sticky Posts at the top of this sub-forum for information. You will need to manually change rule actions to DROP for those rules which you wish to block traffic. Otherwise they will only generate alerts and not block anything.
Here is the first Sticky: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions.
And here is the second: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.
-
Thank you. Have a nice weekend