Tailscale and Snort
-
Hi,
I want to setup Snort on all interfaces behind pfSense. That includes if there is a WireGuard connection and a Tailscale connection.
The WireGuard has an interface assigned but Tailscale does not.
I can choose the WireGuard interface in Snort.
I tried assigning the unassigned tailscale0 interface but when I did this on a Netgate 6100 MAX late yesterday, I had a problem getting it to boot this morning. I had to connect to console and restore a saved config.
I tried this on the pfSense running on a PC that I had first been experimenting with and assigned the tailscale0 interface but with no IPv4 assigned.
Before trying a reboot, I tried bringing up the management interface on the Tailscale IP which was workign previously, but no go.
Then I removed the assigned interface and still no management access on the Tailscale IP.
I rebooted and was back to square one.
Any idea how to get Tailscale assigned as an interface so that I can get Snort to see it?
~Eric
-
I found this on reddit
some hints that may helpI added a firewall alias list with login.tailscale.com and controlplane.tailscale.com
tailscale Host(s) login.tailscale.com, controlplane.tailscale.comI added the above alias to the pass lists in snort.
The above seems to be working OK I only have tested by doing remote desktop from one tailscale machine to another.
The connection failed with snort turned on and no pass list using the alias.
don't forget to clear the block lists after making changes.
-
@mooncaptain
more urls to add to your pass list
I found these are necessary after running snort for a while these url's started to get blocked.
There may be more.
