Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT Inexperience

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coxhaus
      last edited by

      I ran snort for a week or 2.  I don't have much experience with snort but a problem I had was snort logs did not always show the source IP address.  I run a layer 3 switch behind pfsense.  All my LAN traffic is routed traffic. I only have 2 LAN IP addresses for pfsense.  It seemed like I was getting the same IP address for a lot of my LAN traffic.  Is the new snort going to work better for me?

      I run this at home so it is not critical.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Running Snort on the LAN side is a good strategy for a home network, but realize that on the LAN the only traffic the firewall should see is traffic that is outbound to the WAN or inbound from the WAN going to some host on the LAN.  The firewall does not typically see host-to-host traffic on the LAN.

        So with that said, running on the LAN interface, you would expect Snort to trigger on malicious inbound or outbound traffic (meaning coming to a local host through the WAN interface on the firewall, or leaving a local LAN host going out to the Internet through the WAN on the firewall).  I don't really understand what you mean by "…seemed like I was getting the same IP address for a lot of my LAN traffic".  What specific alert or alerts were you seeing?  Was the IP address one of your LAN hosts?

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          coxhaus
          last edited by

          Pfsense only sees traffic destined for the internet.  All local traffic is handled by my layer 3 switch.  What I remember is the pfsense gateway IP address for the layer 3 switch is shown in the logs not the real IP address assigned by my layer 3 switch to all the clients.  So I see a lot of the same IP addresses in the logs being the gateway IP address.  Then I have to interpret what the real IP is. My layer 3 switch is my DHCP server.  I no longer have SNORT installed so I can't look now.  When is SNORT 3.0 going to be released?  I want to wait until after pfsense 2.3 which I plan to upgrade to in a couple of weeks.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @coxhaus:

            Pfsense only sees traffic destined for the internet.  All local traffic is handled by my layer 3 switch.  What I remember is the pfsense gateway IP address for the layer 3 switch is shown in the logs not the real IP address assigned by my layer 3 switch to all the clients.  So I see a lot of the same IP addresses in the logs being the gateway IP address.  Then I have to interpret what the real IP is. My layer 3 switch is my DHCP server.  I no longer have SNORT installed so I can't look now.  When is SNORT 3.0 going to be released?  I want to wait until after pfsense 2.3 which I plan to upgrade to in a couple of weeks.

            Sounds like in your setup your switch is doing NAT, so it will only show a single IP address to pfSense and Snort.  Remove the Layer 3 switch if you want to see the true IP addresses.

            As for Snort 3.0, it won't come to pfSense until it is production code and is in the FreeBSD ports tree.  Neither of those triggers have yet happened (at least they had not the last time I checked).

            Bill

            1 Reply Last reply Reply Quote 0
            • C
              coxhaus
              last edited by

              Thanks Bill.  No NAT in the switch.  I will take another look after my 2.3 upgrade.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.