Snort dual-WAN Hack
-
For those of you beating your heads against the "No snort on dual-wan setups" issue, here's what I've cobbled together to meet my needs - get pfSense to run an instance of Snort per interface. Hope you find it useful.
The current pfSense Snort configuration 'appears' to support a dual-wan setup; you're able to select multiple interfaces, no errors or warnings, but alas when you start the service, no luv. A little digging shows that the selection of multiple interfaces results in a Snort start command that looks something like this:
'snort -i xl1 -i xl2'
where the -i arg signifies an interface and 'xl1' and 'xl2' are interface names. Unfortunately, Snort doesn't like that / doesn't accept multiple interfaces per instance. What does this mean? In a crude fashion it means you have to run two instances of snort if you have two WAN interfaces; one instance per interface. Something like:
'snort -i xl1' and 'snort -i xl2'
Just a bit more background and I'll get to the good stuff. pfSense uses a script called /usr/local/pkg/snort.inc to automatically generate a Snort startup script (/usr/local/etc/rc.d/snort.sh). In order to get pfSense to start an instance of Snort per WAN interface, modify snort.inc as follows:
-
- On approx line 80, define a empty array called $snortInterfaces
-
- On approx line 90, push each interface into $snortInterfaces
-
- On approx line 120, foreach entry in the $snortInterfaces array,
generate a start command for a unique instance of snort.
- On approx line 120, foreach entry in the $snortInterfaces array,
-
- Additionally, add a sleep/delay before starting each instance to give the
prior instance a chance to start … seems to help.
- Additionally, add a sleep/delay before starting each instance to give the
-
This setup does NOT always work. In particular snort often fails to start on a reboot. I usually chk to see if things are ok by looking at the memory usage.
-
Seems to take about 240 MB of memory per instance with 75% of the ruleset enabled.
-
I've attached my snort.inc file in case anyone wonders what the hell I'm talking about. You can search for the tag '-gtm' to see my changes.
-
-
Excellent work! I've commited your changes.