• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort on pfSense port-scan configuration

Scheduled Pinned Locked Moved IDS/IPS
6 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mihan
    last edited by mihan Jun 27, 2024, 1:35 PM Jun 27, 2024, 1:34 PM

    Hi

    I have installed Snort on pfSense and enabled all default features. For now, we're using it only in 'monitor' mode (blocking mode is disabled).
    Since we have services behind our pfSense (mostly web services) and doing NAT from public IPs to private IPs that are running web services I have enabled Snort on WAN interface.
    Under alerts I see some alerts like
    SERVER-WEBAPP TP-Link Archer Router command injection attempt
    SERVER-OTHER Apache Log4j logging remote code execution attempt

    I have also enabled portscan detection function (default options) under Interface - WAN Preprocs But I can't see any alerts that will show us if port-scanning was issued. We did a port scan from outside network but Snort didn't detect and reports any alerts that port scanning is going on.
    Am I missing something here so we'll be able to see portscan detection under alerts ?

    Thank you

    S 1 Reply Last reply Jun 27, 2024, 3:24 PM Reply Quote 0
    • S
      SteveITS Galactic Empire @mihan
      last edited by Jun 27, 2024, 3:24 PM

      @mihan Snort/Suricata runs "outside" the firewall so if it is is run on WAN it will scan all inbound traffic/packets regardless of firewall rules. If you move it to LAN, it will 1) scan less traffic, and 2) alerts will contain the LAN IP of the device instead of the pfSense WAN IP.

      We use Suricata so I can't answer the port scan question.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      M 1 Reply Last reply Jun 28, 2024, 7:51 AM Reply Quote 0
      • M
        mihan @SteveITS
        last edited by Jun 28, 2024, 7:51 AM

        @SteveITS Hi

        Thank you for reply. So I need to change to use Snort on LAN interface not WAN is best practice ?
        I was thinking if I use it on WAN interface Snort will analyze all incoming traffic from internet before it reaches our LAN (over NAT ) ?

        S 1 Reply Last reply Jun 28, 2024, 1:52 PM Reply Quote 0
        • S
          SteveITS Galactic Empire @mihan
          last edited by Jun 28, 2024, 1:52 PM

          @mihan You can run it on WAN, if desired. The order of packet flow is:

          Internet - Snort - firewall rules WAN - routing - firewall rules LAN (irrelevant for packets from Internet) - LAN devices

          On either WAN or LAN it will alert/block.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          T M 2 Replies Last reply Jun 28, 2024, 2:14 PM Reply Quote 0
          • T
            tinfoilmatt @SteveITS
            last edited by Jun 28, 2024, 2:14 PM

            @SteveITS said in Snort on pfSense port-scan configuration:

            Internet - Snort - firewall rules WAN - routing - firewall rules LAN (irrelevant for packets from Internet) - LAN devices

            If running an instance on a WAN and LAN interface simultaneously, the order is:

            WAN ingress > Snort WAN instance > WAN ruleset > routing (i.e., WAN egress > LAN ingress) > Snort LAN instance > LAN ruleset > LAN egress

            I personally run my 'heaviest duty' IDS/IPS instance on the LAN interface, and then a 'lighter' IDS/IPS instance on the WAN interface with only rules that contemplate open ports.

            1 Reply Last reply Reply Quote 1
            • M
              mihan @SteveITS
              last edited by Jul 1, 2024, 8:32 AM

              @SteveITS

              Thank you for reply.
              I was running Snort on WAN but I can't see any portscan detection alerts ?
              We issued a few port scans over different outsides IPs but there were no alerts under Snort ?
              Are we doing something wrong ?

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received