Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort/Suricata and NAT/Port forwarding ports

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett
      last edited by

      When specifying variables in Snort and Suricata (HTTP_PORTS for instance) and using NAT/Port forwarding does one use the external port that clients are accessing? Or the internal port that the system is running the service on?

      Does this vary depending on if you're running Snort/Suricata on WAN vs LAN interface?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        It will vary by location (LAN vs WAN) of the IDS sensor.  Snort and Suricata both see packets from the WAN before they hit the packet filter, so no port translation has yet taken place on inbound (from Internet to your firewall) traffic.  When on the LAN, the IDS is seeing stuff after NAT translation to local addresses/ports.

        So think of a series circuit on the WAN side.  You have your NIC, then the IDS, and then the firewall.  So the IDS sees traffic before the firewall does and thus no firewall rules have been evaulated (to say block stuff) and NAT has not yet happened.  This is why the IDS will still alert even for inbound traffic the firewall will later block due to a rule.

        Now to get even more technical, Snort (and Suricata when running in the legacy mode) actually use libpcap to get a copy of the packets coming through the circuit from NIC to packet filter.  The IDS operates on this copy while the actual original packet continues through.  If the IDS decides the traffic is malicious, it inserts the offending IP address into the packet filter (firewall) and then kills any states that may have been established when that original packet went on through while the IDS was evaluating the copy.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.