Snort Interface Which IP to Block ?

ravegen · Sep 11, 2018, 7:17 AM

If my interface is WAN, incoming traffic from internet is SRC or DST ?

If my interface in LAN, outgoing traffic from internet is SRC or DST ?

ravegen · Sep 11, 2018, 11:45 PM

34 views with no one replied.

bmeeks · Sep 12, 2018, 1:23 AM

For Snort it can be either, meaning the bad traffic could be from an internal host to outside, or from an external bad host to a victim inside. Hence the source of the "bad guy" info could be SRC or DST on either interface. For this reason the default (and suggested value) for "which IP to block" in Snort is BOTH.

I don't mean any offense by this statement, but if you have to ask that question about using Snort, then you are not yet knowledgeable enough about the IDS/IPS to tinker with any of the default Snort settings. Configure Snort on your LAN interface, get a Snort Oinkcode (registered free or the paid premium), enable the Snort VRT rules and choose the IPS policy "Connectivity" and run the package in alert-only (non-blocking) mode for several weeks to see what kinds of alerts you get in your network. Tune out any identified false positives, and only then enable blocking mode.

ravegen · Sep 13, 2018, 5:43 AM

@bmeeks

yet I dont want to block from the internal because it can be resolved by antivirus possibly. so I looking to block from outside thus my question.

SteveITS · Sep 13, 2018, 7:10 PM

I think his point is that if you just log alerts and not block anything, the alerts tab will show you which IP is which. At least it does in Suricata which I've used. Then you can turn on blocking later.

Elsewhere in pfSense the src/dst is from the perspective of the interface. In Suricata, an inbound packet coming in to WAN would have a source of the Internet, dest of the WAN IP (? doing this off the top of my head), then leaving LAN it would have a source of the Internet IP, and a dest of the PC's IP.

bmeeks · Sep 14, 2018, 6:05 PM

@teamits is correct. The ALERTS tab will list SRC and DST addresses for detected alerts. He is also correct on which IP will show depending on the chosen interface on which to run Snort. I recommend running Snort on the LAN interface. That way you can see internal addresses before NAT rules are applied (in the case of outbound traffic) and after NAT rules are removed (in the case of inbound traffic from the Internet). On the WAN, all local IP addresses behind NAT will just show up as having your public WAN IP. That's not useful for tracking down which internal host has a problem.

You should pretty much always let Snort block both SRC and DST IP addresses to be confident the bad traffic is stopped. Anti-virus software has no bearing on this. It detects different things and misses other things. For example, anti-virus software won't detect buffer overflows in your web browser or services. Basic anti-virus software examines executables as they run (or right before), but it does not examine network flows/streams like a true IDS/IPS such as Snort or Suricata.