Logging/Blocking Suspect LAN->WAN Traffic - What is the Best Way



  • My PFSense SG-2440 is up and running with both pfBlockerNG and Snort.    What is the best way to keep an eye on what my LAN is up to?  IE infected or remotely accessed machines, etc.

    I have Snort monitoring both LAN and WAN with the Snort $30 personal subscription.  pfBlocker is set to block the top 20 malware countries for IPv4 and IPv6.

    Thank you,

    Jerold



  • Sounds like PFBlockerNG will block LAN->WAN traffic to suspect countries and Snort should monitor for known vulnerabilities on the LAN and WAN interfaces.  Is there anything else I need to do to identify a network host that is doing something suspicious?

    Thanks,
    Jerold



  • @jpvonhemel:

    Sounds like PFBlockerNG will block LAN->WAN traffic to suspect countries and Snort should monitor for known vulnerabilities on the LAN and WAN interfaces.  Is there anything else I need to do to identify a network host that is doing something suspicious?

    Thanks,
    Jerold

    You need to understand what is normal traffic for your LAN.  You can only get that by actively monitoring or looking at the collected data over a long period of time.  A single hour or a single day is not enough.  A week starts to give you an idea.