Record client address in snort



  • Probably missed an obvious setting but..

    Every snort allert records the address of the pfsense LAN address as either the source or destination rather than the actual LAN client.

    A pointer to what I have missed would be appreciated (or clarification that I am looking for the impossible)

    Otherwise snort and pfsense work great.

    Thanks

    Andrew



  • Services -> Snort -> Alerts then select the interface.

    If you only run snort on the WAN interface you'll only see your WAN address.



  • @NogBadTheBad
    So I need to run snort on the WAN and on the LAN interface?



  • @andrewdr said in Record client address in snort:

    @NogBadTheBad
    So I need to run snort on the WAN and on the LAN interface?

    No, you should generally run Snort only on the LAN interface. That way, all IP addresses recorded on the ALERTS tab will be your actual LAN host addresses. If you run Snort on the WAN, all alerts will show any local host to be using the WAN's public IP. This is because Snort sits out in front of the firewall on any interface. In other words, on the WAN, incoming packets hit Snort first; and outgoing packets hit Snort last. Thus Snort only ever sees the NAT-applied IP address for any local hosts. Running it on the LAN takes care of the NAT problem.

    And unless you special port forwarding turned on and are serving a public server through the firewall, it makes no material difference in terms of security to run Snort on the LAN.



  • @bmeeks We are running a mail server and openvpn server so maybe a bit more research before a wholesale change to snort - thanks.



  • @andrewdr said in Record client address in snort:

    @bmeeks We are running a mail server and openvpn server so maybe a bit more research before a wholesale change to snort - thanks.

    You would be fine to put a Snort instance (or instances) on the firewall interfaces where those servers are located. Hopefully you have them in a DMZ of some sort. If so, then put Snort on the DMZ interface. Remember that Snort is not there to protect the firewall, it is there to protect clients behind the firewall. I say this because a firewall is generally very secure and when properly configured has a very minimal attack surface. Client machines (PCs and servers), on the other hand, have tons of attack surfaces. And the biggest attack surface of all is the human sitting at the client's keyboard clicking "yes" and "OK" to just about every single prompt ... ☺.


Log in to reply