Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort / PF inspection order

    Firewalling
    2
    5
    1110
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AmbrSb last edited by

      It seems that in pfSense by default snort pick up traffic before PF has any chance to filter it.

      I want snort to see only traffic that PF passes.

      is there any way to change that?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @AmbrSb:

        It seems that in pfSense by default snort pick up traffic before PF has any chance to filter it.

        I want snort to see only traffic that PF passes.

        is there any way to change that?

        Thanks in advance.

        No, Snort uses libpcap to get copies of packets as they leave the NIC heading to pf (from the WAN point of view for inbound traffic).  So Snort will always see inbound traffic before the pf firewall does.

        Depending on your situation and exactly what you want to monitor, running Snort on the LAN side of the firewall might be a better solution.

        Bill

        1 Reply Last reply Reply Quote 0
        • A
          AmbrSb last edited by

          Thank you Bill for the explanation.

          Then could I possibly make Snort pick its traffic from some "tun0" interface? Then I forward incoming traffic from physical interfaces, via PF to that tunnel interface.

          Does pfSense support such a setup right now?

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @AmbrSb:

            Thank you Bill for the explanation.

            Then could I possibly make Snort pick its traffic from some "tun0" interface? Then I forward incoming traffic from physical interfaces, via PF to that tunnel interface.

            Does pfSense support such a setup right now?

            Not sure if that would work or not.  Depends on how the tunnel interface plays with libpcap.  Why not just let Snort sniff all packets on the interface anyway?  Unless you have gigabits per second of sustained traffic, then it's not going to be too big of a drag on most firewalls to let Snort see traffic before the packet filter filters it.  You can use Suppress and Pass Lists to control alerts and blocks.

            Bill

            1 Reply Last reply Reply Quote 0
            • A
              AmbrSb last edited by

              The main reason I don't want Snort/Suricata to see the whole traffic is minimization of false positives.

              I am concerned that Suppression Lists may desensitize Snort against real problems.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post