Snort on LAN interface?
-
Right now I have a basic setup, INTERNET -> PFSENSE -> LAN. I have installed snort on pfsense and set it up on the WAN interface. I don't have it set to block anything at the moment, I just want to see the alerts. It is working as I'm getting alerts. I'm seeing alerts that show the src ip as being my WAN interface and the dst ip some ip on the internet. So I'm assuming the traffic is originating from my LAN and going out an snort is flagging it.
At this point I want to know from where on the LAN it is originating from. I setup another snort interface for the LAN, setup with the same rules and preprocessors. I am not seeing any alerts where the src ip is from the local LAN however. What I expected was to get 2 alerts one showing the src ip as my WAN to some external dst ip and a duplicate alert with a LAN ip with the same external ip.Any ideas what I could be doing wrong? Or is my understanding of how it should work wrong?
Thanks
-
You have alerts on both ways.
Some alerts are got from client to server and other from server response to client.
You will need to analyse rule info to see direction.
-
Thanks for the reply. I'm pretty new to snort and just figuring things out. I probably have a lot more research to do. I've done some testing. I have a pfsense box on my home network so I installed snort and set it up on the LAN interface only and I selected the icmp rules. Then from my pc inside the network I pinged google.com. and got the alert in snort below…
# PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date
7 3 ICMP ICMP Echo Reply Misc activity 74.125.224.134 empty -> 10.11.12.100 empty 1:408:5 02/13-23:41:07
On the setup at work I select the same icmp rules and have snort enabled only on the LAN interface. When I ping google from the LAN I don't see any alert at all in snort.
As far as I can tell all settings are identical between the two setups. Both network layouts are the same, MODEM > PFSENSE/SNORT > LAN. Nothing between the modem and pfsense. I reinstalled snort but no go. The setup at work has been running for over a week. There's about 30 workstations and I can go an entire day without seeing any alerts at all being generated from snort on the LAN interface. At home running the same rules and only 2 computers on the LAN I'll get several everyday.
I really have no idea what can be different between the setups.