Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN
-
Hello, i'm a newbie to snort and pfsense. I'm actually trying to implement snort on pfsense for it to be able to alert and block an attack such as (Port Scan or DoS) send by a user within the LAN interface.
I successfully created a virtual machine on virtualbox, install pfsense with snort package, configure snort interface, global settings with non blocking alerts for me to observe it and setup two interfaces ie WAN and LAN following some online guidelines.
WAN : 192.168.43.75
LAN : 192.168.1.1
After which, i created four other virtual machines on virtualbox and install ubuntu 16.04. PC1 and PC2 is configure with IP on the LAN interface and PC3 and PC4 is configured with IP on the WAN interface. that is ;
PC1 : 192.168.1.101
PC2 : 192.168.1.102
PC3 : 192.168.43.136
PC4 : 192.168.43.213I installed nmap on PC1 and launched an nmap command to scan PC2 on the same LAN ie nmap 192.168.1.102 . After that, they was no alert for the port scan attack i performed. So i was expecting my snort/pfsense to display an alert.
But when am doing a portscan on PC3 which is on the WAN interface to scan PC1, it shows me an alert which i'm ok with that.So, i want PC1 to perform a portscan on PC2 or PC2 to perform a portscan on PC1 and snort should be give me an alert on which device is doing what. This is actually because i want to be able to protect my LAN environment.
-
if i'm not wrong communication between PC1 and PC2 are direct and do not pass through the firewall
you will probably see an alert if you try to perform a port scan attack from PC1 to PC3 or PC4 and from PC2 to PC3 and PC4
you need to move PC2 to another network like a vlan to see the alert -
@kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ????
if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ???
Thanks in advanced
-
you simply can't, not on the same lan,it is supposed that machines on the same lan are trusted, if you don't trust someone you just isolate it on a separate network as a vlan, configure snort/suricata and set some firewall rules.
-
@kiokoman ok
-
@kiokoman hello pls i am not still clear. So the reason for running snort on the LAN interface is to catch the internal ip address of offenders in a LAN who perform an attack designated outside of the LAN that is to the WAN network ????
-
@oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN:
So the reason for running snort on the LAN interface is to catch the internal ip address of offenders in a LAN who perform an attack designated outside of the LAN that is to the WAN network ????
yes, think about what a virus / trojan / botnet etc etc could do. those can enter your pc inside lan via a usb stick for example
-
@oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN:
@kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ????
if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ???
Thanks in advanced
Snort runs on the firewall. The firewall is not in the traffic path if two machines on the same LAN talk to each other. Only the LAN switch is in that pathway. The only time the firewall can see traffic from a LAN client is when that client is communicating with an IP address that is NOT part of the LAN. That would be a different LAN subnet where the firewall is the route to the different subnet, or some host out on the Internet (which means the traffic is traversing the WAN interface).
So since Snort would not see one LAN client port scanning another LAN client (in the same subnet), it can't do anything about it.
If you wanted to monitor traffic between LAN hosts on the same network, then you will need a managed switch that provides a span port (or port mirroring). You would then configure mirroring on the switch and set up a separate installation of Snort on say a Linux host on the LAN and connect that host to the span port on the switch. Only then could Snort on the Linux host see traffic between other LAN hosts.