• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN

Scheduled Pinned Locked Moved IDS/IPS
snortpfsense
8 Posts 3 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    oldrik
    last edited by Jul 22, 2019, 5:49 AM

    Hello, i'm a newbie to snort and pfsense. I'm actually trying to implement snort on pfsense for it to be able to alert and block an attack such as (Port Scan or DoS) send by a user within the LAN interface.
    I successfully created a virtual machine on virtualbox, install pfsense with snort package, configure snort interface, global settings with non blocking alerts for me to observe it and setup two interfaces ie WAN and LAN following some online guidelines.
    WAN : 192.168.43.75
    LAN : 192.168.1.1
    After which, i created four other virtual machines on virtualbox and install ubuntu 16.04. PC1 and PC2 is configure with IP on the LAN interface and PC3 and PC4 is configured with IP on the WAN interface. that is ;
    PC1 : 192.168.1.101
    PC2 : 192.168.1.102
    PC3 : 192.168.43.136
    PC4 : 192.168.43.213

    I installed nmap on PC1 and launched an nmap command to scan PC2 on the same LAN ie nmap 192.168.1.102 . After that, they was no alert for the port scan attack i performed. So i was expecting my snort/pfsense to display an alert.
    But when am doing a portscan on PC3 which is on the WAN interface to scan PC1, it shows me an alert which i'm ok with that.

    So, i want PC1 to perform a portscan on PC2 or PC2 to perform a portscan on PC1 and snort should be give me an alert on which device is doing what. This is actually because i want to be able to protect my LAN environment.

    1 Reply Last reply Reply Quote 0
    • K
      kiokoman LAYER 8
      last edited by kiokoman Jul 22, 2019, 10:00 AM Jul 22, 2019, 9:56 AM

      if i'm not wrong communication between PC1 and PC2 are direct and do not pass through the firewall
      you will probably see an alert if you try to perform a port scan attack from PC1 to PC3 or PC4 and from PC2 to PC3 and PC4
      you need to move PC2 to another network like a vlan to see the alert

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      O 1 Reply Last reply Jul 22, 2019, 12:06 PM Reply Quote 0
      • O
        oldrik @kiokoman
        last edited by Jul 22, 2019, 12:06 PM

        @kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ????

        if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ???

        Thanks in advanced

        B 1 Reply Last reply Jul 22, 2019, 8:00 PM Reply Quote 0
        • K
          kiokoman LAYER 8
          last edited by Jul 22, 2019, 12:29 PM

          you simply can't, not on the same lan,it is supposed that machines on the same lan are trusted, if you don't trust someone you just isolate it on a separate network as a vlan, configure snort/suricata and set some firewall rules.

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          O 2 Replies Last reply Jul 22, 2019, 12:51 PM Reply Quote 0
          • O
            oldrik @kiokoman
            last edited by Jul 22, 2019, 12:51 PM

            @kiokoman ok

            1 Reply Last reply Reply Quote 0
            • O
              oldrik @kiokoman
              last edited by Jul 22, 2019, 1:12 PM

              @kiokoman hello pls i am not still clear. So the reason for running snort on the LAN interface is to catch the internal ip address of offenders in a LAN who perform an attack designated outside of the LAN that is to the WAN network ????

              1 Reply Last reply Reply Quote 0
              • K
                kiokoman LAYER 8
                last edited by kiokoman Jul 22, 2019, 2:40 PM Jul 22, 2019, 2:39 PM

                @oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN:

                So the reason for running snort on the LAN interface is to catch the internal ip address of offenders in a LAN who perform an attack designated outside of the LAN that is to the WAN network ????

                yes, think about what a virus / trojan / botnet etc etc could do. those can enter your pc inside lan via a usb stick for example

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • B
                  bmeeks @oldrik
                  last edited by bmeeks Jul 22, 2019, 8:02 PM Jul 22, 2019, 8:00 PM

                  @oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN:

                  @kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ????

                  if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ???

                  Thanks in advanced

                  Snort runs on the firewall. The firewall is not in the traffic path if two machines on the same LAN talk to each other. Only the LAN switch is in that pathway. The only time the firewall can see traffic from a LAN client is when that client is communicating with an IP address that is NOT part of the LAN. That would be a different LAN subnet where the firewall is the route to the different subnet, or some host out on the Internet (which means the traffic is traversing the WAN interface).

                  So since Snort would not see one LAN client port scanning another LAN client (in the same subnet), it can't do anything about it.

                  If you wanted to monitor traffic between LAN hosts on the same network, then you will need a managed switch that provides a span port (or port mirroring). You would then configure mirroring on the switch and set up a separate installation of Snort on say a Linux host on the LAN and connect that host to the span port on the switch. Only then could Snort on the Linux host see traffic between other LAN hosts.

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received