• Hi,

    We're currently testing the HOMELAB version of tnsr as a proof of concept before purchasing.
    We have 3 tnsr vm's setup on proxmox and trying to get snort and eventually IPSec VPN setup.

    I'm trying to configure snort on tnsr01, which is the master.

    I've been following the instructions on https://github.com/Netgate/TNSR_IDS/blob/master/tnsr_snort_setup.md

    When I setup the gre and gre1 interface, tnsr01 seems to keep re-registering the interfaces which I think is causing a problem when trying to use snort on the dataplane interfaces. This is what keeps coming up on the server once the gre1 int is enabled;

    548d69ab-fc43-479b-af93-84e5f0ce5bea-image.png

    When we try to use snort on either of the dataplane interfaces, snort gives the following error;

    Can't start DAQ (-1) - SIOCGIFHWADDR
    

    Snort does work on the HOST interface.

    I think the dataplane interfaces are losing there registration and then when trying to start the snort logs via the dataplane shell it can't see the interface so gives us the 2nd error.

    Hoping someone has seen either of these errors before and can help us out!

    Thanks

  • LAYER 8 Netgate

    Snort on tnsr is not currently supported.

    You can use a span port to send all traffic to an IDS node and code that node to block IP addresses using the API based on the sensor readings there.

    https://docs.netgate.com/tnsr/en/latest/recipes/gre-erspan/index.html

    https://fidelissecurity.com/technology-partners/netgate-tnsr/

    Please re-read that link. Nothing there refers to running snort on the tnsr node itself.

  • LAYER 8

    TNSR version?
    setup.md seems to be old, i'm unable to follow some of that steps on my 20.10,

    configure
    acl snortblock
    rule 2147483646
    action permit
    exit
    exit
    

    i had to add "ip-version ipv4" before "action permit" as it's mandatory

    also

    access-list input acl snortblock 10
    now i think it's
    access-list input acl snortblock sequence 10

    at this point i saw "vpp1: renamed" only once

    but i've still not installed snort and the tnsrids services does not start


  • @kiokoman thanks for your reply!
    We're using 20.10 also.
    I already had the acl rule created and added to the interface.

    I'm struggling to find the tnsrids service on the host or tnsrcli. I'm not sure which it should be on.

    I only noticed that guide for snort on tnsr is old.


  • @Derelict thanks for your reply!
    Any reason why snort is no longer supported on tnsr?

    I'll use the netgate gre-erspan link instead now rather than the githib link now.

  • LAYER 8 Netgate

    Snort was never supported on tnsr.


  • Netgate provided an example on how to integrate Snort to create an IDS back in 2018, which needs an update as TNSR has continued to evolve. From a 2018 blog:

    TNSR-IDS is written in the Go programming language, allowing it to be easily compiled for a large number of OS and architectures. Details, source code, and setup instructions (including TNSR, SNORT and ERSPAN) can be found at the TNSR-IDS Project GitHub Repository(https://github.com/Netgate/TNSR_IDS). A README file is included in the repository that provides a lot of detail about the process, as well as a TNSR-Snort setup file that gives detailed installation instructions.

    I'd use that as a starting point, but there may well be some architectual or setting changes that need to be tweaked to get the spice flowing.