Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    feeding pfSense traffic to IDS running on a different host

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 562 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luke404
      last edited by

      Hello forum.

      I'm investigating the possibility to run an IDS on a different host and feed it data collected from an interface in pfSense.

      I cannot intercept the traffic "outside" of pfSense since it is running on an hosted VMware cluster, that's why I'm looking for a solution that could be run in pfSense. We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.

      I tried researching the topic for Snort but without any luck so far and I will check out Suricata and any other option.

      If anyone here has any helpful comment or feedback it would be very appreciated.

      To recap what I'd like to achieve is:

      • have an IDS running on host "A" (running Linux o FreeBSD)
      • have it analyze in near-realtime traffic flowing through an interface of host "B" which is running the latest pfSense

      Thank you

      bmeeksB G 2 Replies Last reply Reply Quote 0
      • bmeeksB
        bmeeks @luke404
        last edited by

        @luke404 said in feeding pfSense traffic to IDS running on a different host:

        Hello forum.

        I'm investigating the possibility to run an IDS on a different host and feed it data collected from an interface in pfSense.

        I cannot intercept the traffic "outside" of pfSense since it is running on an hosted VMware cluster, that's why I'm looking for a solution that could be run in pfSense. We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.

        I tried researching the topic for Snort but without any luck so far and I will check out Suricata and any other option.

        If anyone here has any helpful comment or feedback it would be very appreciated.

        To recap what I'd like to achieve is:

        • have an IDS running on host "A" (running Linux o FreeBSD)
        • have it analyze in near-realtime traffic flowing through an interface of host "B" which is running the latest pfSense

        Thank you

        The only way this would be possible is to have a switch capable of port mirroring (or a Span Port in Cisco terminology). You can configure managed switches that support mirroring so that all packets received on a port are copied over to a specified mirror port.

        Since you mentioned you are running on VMware, you can refer to this article on configuring port mirroring on VMware virtual switches: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.html.

        I assume that pfSense and your IDS host are both hosted in the same VMware infrastructure and share a vSwitch. That will be required for the idea above to work.

        1 Reply Last reply Reply Quote 0
        • G
          garyd @luke404
          last edited by

          @luke404 said in feeding pfSense traffic to IDS running on a different host:

          We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.

          Have you considered using something like sguil or security onion to collect alerts from your sensors?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.