Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up tnsr & Snort

    Scheduled Pinned Locked Moved TNSR
    7 Posts 4 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mwhelanmachship
      last edited by

      Hi,

      We're currently testing the HOMELAB version of tnsr as a proof of concept before purchasing.
      We have 3 tnsr vm's setup on proxmox and trying to get snort and eventually IPSec VPN setup.

      I'm trying to configure snort on tnsr01, which is the master.

      I've been following the instructions on https://github.com/Netgate/TNSR_IDS/blob/master/tnsr_snort_setup.md

      When I setup the gre and gre1 interface, tnsr01 seems to keep re-registering the interfaces which I think is causing a problem when trying to use snort on the dataplane interfaces. This is what keeps coming up on the server once the gre1 int is enabled;

      548d69ab-fc43-479b-af93-84e5f0ce5bea-image.png

      When we try to use snort on either of the dataplane interfaces, snort gives the following error;

      Can't start DAQ (-1) - SIOCGIFHWADDR

      Snort does work on the HOST interface.

      I think the dataplane interfaces are losing there registration and then when trying to start the snort logs via the dataplane shell it can't see the interface so gives us the 2nd error.

      Hoping someone has seen either of these errors before and can help us out!

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Snort on tnsr is not currently supported.

        You can use a span port to send all traffic to an IDS node and code that node to block IP addresses using the API based on the sensor readings there.

        https://docs.netgate.com/tnsr/en/latest/recipes/gre-erspan/index.html

        https://fidelissecurity.com/technology-partners/netgate-tnsr/

        Please re-read that link. Nothing there refers to running snort on the tnsr node itself.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        M 1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by

          TNSR version?
          setup.md seems to be old, i'm unable to follow some of that steps on my 20.10,

          configure
acl snortblock
rule 2147483646
action permit
exit
exit

          i had to add "ip-version ipv4" before "action permit" as it's mandatory

          also

          access-list input acl snortblock 10
          now i think it's
          access-list input acl snortblock sequence 10

          at this point i saw "vpp1: renamed" only once

          but i've still not installed snort and the tnsrids services does not start

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          M 1 Reply Last reply Reply Quote 0
          • M
            mwhelanmachship @kiokoman
            last edited by

            @kiokoman thanks for your reply!
            We're using 20.10 also.
            I already had the acl rule created and added to the interface.

            I'm struggling to find the tnsrids service on the host or tnsrcli. I'm not sure which it should be on.

            I only noticed that guide for snort on tnsr is old.

            1 Reply Last reply Reply Quote 0
            • M
              mwhelanmachship @Derelict
              last edited by

              @Derelict thanks for your reply!
              Any reason why snort is no longer supported on tnsr?

              I'll use the netgate gre-erspan link instead now rather than the githib link now.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Snort was never supported on tnsr.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • Galactica_ActualG
                  Galactica_Actual
                  last edited by

                  Netgate provided an example on how to integrate Snort to create an IDS back in 2018, which needs an update as TNSR has continued to evolve. From a 2018 blog:

                  TNSR-IDS is written in the Go programming language, allowing it to be easily compiled for a large number of OS and architectures. Details, source code, and setup instructions (including TNSR, SNORT and ERSPAN) can be found at the TNSR-IDS Project GitHub Repository(https://github.com/Netgate/TNSR_IDS). A README file is included in the repository that provides a lot of detail about the process, as well as a TNSR-Snort setup file that gives detailed installation instructions.

                  I'd use that as a starting point, but there may well be some architectual or setting changes that need to be tweaked to get the spice flowing.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.