Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort LAN interface assignment

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 432 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by

      I don't know if this is of concern also. My Lan interface assignment to snort only detects the destination as the firewall and not listing the Wan IP it is trying to access after this update. Prior to the update most often listed the LAN and the WAN and did not list the firewall as the destinations.

      Has anyone else noticed this?

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Show a screen capture of what you are talking about. What you posted is not clear. What do you mean by WAN IP? Do you mean the literal public IP address assigned to your firewall, or do you really mean an external IP (as in totally outside your local networks)?

        JonathanLeeJ 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @bmeeks
          last edited by

          @bmeeks

          Screenshot 2023-10-05 at 3.23.59 PM.png

          They all show traversal to the proxy or firewall IP.

          Is there a way to see the NAT or where the lan clients want to go after the firewall?

          Make sure to upvote

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @JonathanLee
            last edited by bmeeks

            @JonathanLee said in Snort LAN interface assignment:

            Is there a way to see the NAT or where the lan clients want to go after the firewall?

            No, look at the other posts where I have posted the diagrams of how network traffic flows when using one of the IDS/IPS packages. The IDS/IPS sits directly between the physical NIC and the rest of the operating system kernel. It can't see anything beyond what is contained in the packet as it comes off the NIC (or from the operating system network stack on the way to the physical NIC).

            It has no idea, nor any way to find out, what the operating system's network stack does with the packets.

            JonathanLeeJ 1 Reply Last reply Reply Quote 1
            • JonathanLeeJ
              JonathanLee @bmeeks
              last edited by

              @bmeeks So should I move it to wan side because of no access to inline mode? My current config can see the xbox wan side addresses.

              Do you know what official negate appliance supports inline mode?

              Make sure to upvote

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @JonathanLee
                last edited by

                @JonathanLee said in Snort LAN interface assignment:

                So should I move it to wan side because of no access to inline mode?

                No, not in my view. And Inline Mode or not Inline Mode has zero bearing on where you should run the IDS/IPS.

                @JonathanLee said in Snort LAN interface assignment:

                Do you know what official negate appliance supports inline mode?

                Any of their non-Marvel switched ports appliances. Examples include SG-5100, SG-6100, SG-8200, and a few others. Look at the list of netmap compatible devices I posted earlier.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.