Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can snort be configured for a single interface or VLAN?

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TyMac
      last edited by

      Right now I have snort running on the WAN interface looking at all incoming traffic but I am really only worried about a few internal interfaces. Is there a way to configure this?

      1 Reply Last reply Reply Quote 0
      • W
        Wolf666
        last edited by

        Simply add the interface you need to monitor.
        I only monitor LAN interfaces, no need to look at WAN since firewall blocks any inbound and unsolicited traffic, the only inbound traffic is via VPN.

        Modem Draytek Vigor 130
        pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
        Switch Cisco SG350-10
        AP Netgear R7000 (Stock FW)
        HTPC Intel NUC5i3RYH
        NAS Synology DS1515+
        NAS Synology DS213+

        1 Reply Last reply Reply Quote 0
        • T
          TyMac
          last edited by

          So that will monitor any incoming traffic to that subnet?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @TyMac:

            So that will monitor any incoming traffic to that subnet?

            …and outgoing from that subnet.  If you have NAT enabled, you will actually find running Snort (or Suricata) on the LAN and other interfaces beneficial.  This is because on the WAN, with NAT, all traffic appears to originate from and go to your WAN IP.  Not useful when trying to track down a LAN client that is alerting.  With Snort on the LAN, all the logged alerts will have the LAN IPs in the alerts.

            Bill

            1 Reply Last reply Reply Quote 0
            • T
              TyMac
              last edited by

              Well I'm trying to eliminate any security measures from a certain lan due to bitching about the rules blocking stuff… so adding snort to the wan will probably cause more issues and they are not willing to troubleshoot.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.