Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort on vpn connections??

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sense678
      last edited by

      Hi all,

      I have installed an openvpn client directly in pfsense to my vpn provider. This is running over an VPN_WAN and a VPN_GATEWAY.
      Everything is working so far, it gets the correct DNS by DHCP, the IP is "correct", the routing seems fine.

      But now I want to use snort on my box. And I tried to use snort on VPN_WAN but that doesn't seem to work correctly because the traffic is encrypted of course. So I get a lot of alerts on just surfing normal websites, they are endless, most of them (http_inspect) UNKNOWN METHOD.

      How can I achieve snorting a vpn connection, normally the snort has to be placed after the traffic is decrypted but also on VPNLAN it's the same behaviour.

      If I use snort on my normal WAN connection there are way not so much alters. I am using it in connectivity mode anyway.

      Is there any solution for this?

      Cheers

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @sense678:

        Hi all,

        I have installed an openvpn client directly in pfsense to my vpn provider. This is running over an VPN_WAN and a VPN_GATEWAY.
        Everything is working so far, it gets the correct DNS by DHCP, the IP is "correct", the routing seems fine.

        But now I want to use snort on my box. And I tried to use snort on VPN_WAN but that doesn't seem to work correctly because the traffic is encrypted of course. So I get a lot of alerts on just surfing normal websites, they are endless, most of them (http_inspect) UNKNOWN METHOD.

        How can I achieve snorting a vpn connection, normally the snort has to be placed after the traffic is decrypted but also on VPNLAN it's the same behaviour.

        If I use snort on my normal WAN connection there are way not so much alters. I am using it in connectivity mode anyway.

        Is there any solution for this?

        Cheers

        You are seeing some rather well known false positives.  The HTTP_INSPECT is notorious for giving false positives.  There is a Suppress List thread here in the Packages sub-forum that lists most of the common false positive rules that folks either disable or create suppress entries for.  Do a search for "master suppress list", and it should pop up.

        Bill

        1 Reply Last reply Reply Quote 0
        • S
          sense678
          last edited by

          The problem that I have is :

          I have snort enabled on WAN and on VPNWAN.

          I call website x on WAN and get let's say 4 snort messages for this website.

          Then I call the same website on VPNWAN and I get like 30 snort alerts for the same website.

          This is why I think somethings wrong with "snorting" a VPN WAN interface.

          Hope this is more understandable now.

          Cheers.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            You may get additional preprocessor or decoder alerts due to the packet structure.  Just add suppress list entries for those.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.