feeding pfSense traffic to IDS running on a different host
-
Hello forum.
I'm investigating the possibility to run an IDS on a different host and feed it data collected from an interface in pfSense.
I cannot intercept the traffic "outside" of pfSense since it is running on an hosted VMware cluster, that's why I'm looking for a solution that could be run in pfSense. We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.
I tried researching the topic for Snort but without any luck so far and I will check out Suricata and any other option.
If anyone here has any helpful comment or feedback it would be very appreciated.
To recap what I'd like to achieve is:
- have an IDS running on host "A" (running Linux o FreeBSD)
- have it analyze in near-realtime traffic flowing through an interface of host "B" which is running the latest pfSense
Thank you
-
@luke404 said in feeding pfSense traffic to IDS running on a different host:
Hello forum.
I'm investigating the possibility to run an IDS on a different host and feed it data collected from an interface in pfSense.
I cannot intercept the traffic "outside" of pfSense since it is running on an hosted VMware cluster, that's why I'm looking for a solution that could be run in pfSense. We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.
I tried researching the topic for Snort but without any luck so far and I will check out Suricata and any other option.
If anyone here has any helpful comment or feedback it would be very appreciated.
To recap what I'd like to achieve is:
- have an IDS running on host "A" (running Linux o FreeBSD)
- have it analyze in near-realtime traffic flowing through an interface of host "B" which is running the latest pfSense
Thank you
The only way this would be possible is to have a switch capable of port mirroring (or a Span Port in Cisco terminology). You can configure managed switches that support mirroring so that all packets received on a port are copied over to a specified mirror port.
Since you mentioned you are running on VMware, you can refer to this article on configuring port mirroring on VMware virtual switches: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.html.
I assume that pfSense and your IDS host are both hosted in the same VMware infrastructure and share a vSwitch. That will be required for the idea above to work.
-
@luke404 said in feeding pfSense traffic to IDS running on a different host:
We would like to keep our pfSense systems small and tidy and that's why I'd like to run the IDS on a different host.
Have you considered using something like sguil or security onion to collect alerts from your sensors?