feeding pfSense traffic to IDS running on a different host


  • Hello forum.

    I'm investigating the possibility to run an IDS on a different host and feed it data collected from an interface in pfSense.

    I cannot intercept the traffic "outside" of pfSense since it is running on an hosted VMware cluster, that's why I'm looking for a solution that could be run in pfSense. We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.

    I tried researching the topic for Snort but without any luck so far and I will check out Suricata and any other option.

    If anyone here has any helpful comment or feedback it would be very appreciated.

    To recap what I'd like to achieve is:

    • have an IDS running on host "A" (running Linux o FreeBSD)
    • have it analyze in near-realtime traffic flowing through an interface of host "B" which is running the latest pfSense

    Thank you


  • @luke404 said in feeding pfSense traffic to IDS running on a different host:

    Hello forum.

    I'm investigating the possibility to run an IDS on a different host and feed it data collected from an interface in pfSense.

    I cannot intercept the traffic "outside" of pfSense since it is running on an hosted VMware cluster, that's why I'm looking for a solution that could be run in pfSense. We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.

    I tried researching the topic for Snort but without any luck so far and I will check out Suricata and any other option.

    If anyone here has any helpful comment or feedback it would be very appreciated.

    To recap what I'd like to achieve is:

    • have an IDS running on host "A" (running Linux o FreeBSD)
    • have it analyze in near-realtime traffic flowing through an interface of host "B" which is running the latest pfSense

    Thank you

    The only way this would be possible is to have a switch capable of port mirroring (or a Span Port in Cisco terminology). You can configure managed switches that support mirroring so that all packets received on a port are copied over to a specified mirror port.

    Since you mentioned you are running on VMware, you can refer to this article on configuring port mirroring on VMware virtual switches: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.html.

    I assume that pfSense and your IDS host are both hosted in the same VMware infrastructure and share a vSwitch. That will be required for the idea above to work.


  • @luke404 said in feeding pfSense traffic to IDS running on a different host:

    We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.

    Have you considered using something like sguil or security onion to collect alerts from your sensors?