Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Record client address in snort

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 3 Posters 568 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrewdr
      last edited by

      Probably missed an obvious setting but..

      Every snort allert records the address of the pfsense LAN address as either the source or destination rather than the actual LAN client.

      A pointer to what I have missed would be appreciated (or clarification that I am looking for the impossible)

      Otherwise snort and pfsense work great.

      Thanks

      Andrew

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by NogBadTheBad

        Services -> Snort -> Alerts then select the interface.

        If you only run snort on the WAN interface you'll only see your WAN address.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        A 1 Reply Last reply Reply Quote 0
        • A
          andrewdr @NogBadTheBad
          last edited by

          @NogBadTheBad
          So I need to run snort on the WAN and on the LAN interface?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @andrewdr
            last edited by

            @andrewdr said in Record client address in snort:

            @NogBadTheBad
            So I need to run snort on the WAN and on the LAN interface?

            No, you should generally run Snort only on the LAN interface. That way, all IP addresses recorded on the ALERTS tab will be your actual LAN host addresses. If you run Snort on the WAN, all alerts will show any local host to be using the WAN's public IP. This is because Snort sits out in front of the firewall on any interface. In other words, on the WAN, incoming packets hit Snort first; and outgoing packets hit Snort last. Thus Snort only ever sees the NAT-applied IP address for any local hosts. Running it on the LAN takes care of the NAT problem.

            And unless you special port forwarding turned on and are serving a public server through the firewall, it makes no material difference in terms of security to run Snort on the LAN.

            A 1 Reply Last reply Reply Quote 0
            • A
              andrewdr @bmeeks
              last edited by

              @bmeeks We are running a mail server and openvpn server so maybe a bit more research before a wholesale change to snort - thanks.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @andrewdr
                last edited by bmeeks

                @andrewdr said in Record client address in snort:

                @bmeeks We are running a mail server and openvpn server so maybe a bit more research before a wholesale change to snort - thanks.

                You would be fine to put a Snort instance (or instances) on the firewall interfaces where those servers are located. Hopefully you have them in a DMZ of some sort. If so, then put Snort on the DMZ interface. Remember that Snort is not there to protect the firewall, it is there to protect clients behind the firewall. I say this because a firewall is generally very secure and when properly configured has a very minimal attack surface. Client machines (PCs and servers), on the other hand, have tons of attack surfaces. And the biggest attack surface of all is the human sitting at the client's keyboard clicking "yes" and "OK" to just about every single prompt ... ☺.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.