Which rules should be active is there enabling WAN and LAN interfaces on SNORT?
-
I am new to computer networking. I would like to setup SNORT for my small office.
I was wondering what is the difference between enabling SNORT on WAN and LAN and
Which rules should be active is there enabling WAN and LAN interfaces on SNORT?
Thanks for your help in advance.
-
https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/145
If add it to both interfaces you see snort alerts pre NAT.
-
@john-the-ripper said in Which rules should be active is there enabling WAN and LAN interfaces on SNORT?:
I am new to computer networking. I would like to setup SNORT for my small office.
I was wondering what is the difference between enabling SNORT on WAN and LAN and
Which rules should be active is there enabling WAN and LAN interfaces on SNORT?
Thanks for your help in advance.
Put Snort on the LAN interface only. Putting it on the WAN will just log a bunch of junk the firewall is going to drop anyway. Plus, as @NogBadTheBad said, on the WAN all of your LAN host IP addresses will show in alerts "after NAT", meaning they will have the WAN's public IP. This is not very helpful when you are trying to determine which local host triggered the alert.
As for which rules, I suggest you do this to use a Snort Team provided IPS policy.
-
Get a Snort Subscriber Rules account. There are free and paid versions. You have to register for both. The difference in the two is explained at the link you will find on the GLOBAL SETTINGS tab in Snort. You can also use this link.
-
After you get your Snort Oinkcode, enable the Snort Subscriber Rules by clicking the checkbox and paste your Oinkcode into the box provided on the GLOBAL SETTINGS tab.
-
Go to the UPDATES tab and click Update to get a fresh copy of the Snort rules. Be sure to wait until the pop-up modal dialog auto-closes before leaving the page. It will take several seconds to a minute or more to download the rules.
-
Now click on the INTERFACES tab and add your LAN interface to Snort if you have not done that already. Leave things at their defaults initially. I recommend you do not enable blocking initially to give you some time to see what alerts your network generates. If you turn on blocking right away, expect some false positives and some headaches caused by blocking what are really OK things (those false positives). Save the new interface. You should get returned to the INTERFACES tab.
-
Cilck the edit icon for your LAN and then click on to the CATEGORIES tab. Click the checkbox to "Enable IPS Policy" and then choose the "IPS - Connectivity" policy in the drop-down. Let that be it at first. That is a good starter set of rules put together by the Snort team. Click Save on the page.
-
Return to the INTERFACES tab and click the "start" icon to start Snort on the LAN. Hover over the icons to see a pop-up tooltip of what each icon does. Wait for Snort to start. The icon will turn into a green gear when Snort is running.
-
You're done for now. Let it run like that for a week or so to give you a chance to see what kinds of alerts you get. Decide if you are getting any false positives (those are very likely with some of the HTTP_INSPECT rules), and suppress or disable the false positive rules. There are numerous threads here about setting up Suppress Lists and which rules to disable in Snort. Search for them to get some Snort tuning advice from other experienced Snort users.
-
After you get the rules tuned up, then you can go to the INTERFACE SETTINGS tab again for the LAN and enable blocking. Remember when you make changes on the INTERFACE SETTINGS tab, you need to restart Snort on the interface for the changes to take effect.
-