Snort / PF inspection order



  • It seems that in pfSense by default snort pick up traffic before PF has any chance to filter it.

    I want snort to see only traffic that PF passes.

    is there any way to change that?

    Thanks in advance.



  • @AmbrSb:

    It seems that in pfSense by default snort pick up traffic before PF has any chance to filter it.

    I want snort to see only traffic that PF passes.

    is there any way to change that?

    Thanks in advance.

    No, Snort uses libpcap to get copies of packets as they leave the NIC heading to pf (from the WAN point of view for inbound traffic).  So Snort will always see inbound traffic before the pf firewall does.

    Depending on your situation and exactly what you want to monitor, running Snort on the LAN side of the firewall might be a better solution.

    Bill



  • Thank you Bill for the explanation.

    Then could I possibly make Snort pick its traffic from some "tun0" interface? Then I forward incoming traffic from physical interfaces, via PF to that tunnel interface.

    Does pfSense support such a setup right now?



  • @AmbrSb:

    Thank you Bill for the explanation.

    Then could I possibly make Snort pick its traffic from some "tun0" interface? Then I forward incoming traffic from physical interfaces, via PF to that tunnel interface.

    Does pfSense support such a setup right now?

    Not sure if that would work or not.  Depends on how the tunnel interface plays with libpcap.  Why not just let Snort sniff all packets on the interface anyway?  Unless you have gigabits per second of sustained traffic, then it's not going to be too big of a drag on most firewalls to let Snort see traffic before the packet filter filters it.  You can use Suppress and Pass Lists to control alerts and blocks.

    Bill



  • The main reason I don't want Snort/Suricata to see the whole traffic is minimization of false positives.

    I am concerned that Suppression Lists may desensitize Snort against real problems.