Snort on pfSense port-scan configuration
-
Hi
I have installed Snort on pfSense and enabled all default features. For now, we're using it only in 'monitor' mode (blocking mode is disabled).
Since we have services behind our pfSense (mostly web services) and doing NAT from public IPs to private IPs that are running web services I have enabled Snort on WAN interface.
Under alerts I see some alerts like
SERVER-WEBAPP TP-Link Archer Router command injection attempt
SERVER-OTHER Apache Log4j logging remote code execution attemptI have also enabled portscan detection function (default options) under Interface - WAN Preprocs But I can't see any alerts that will show us if port-scanning was issued. We did a port scan from outside network but Snort didn't detect and reports any alerts that port scanning is going on.
Am I missing something here so we'll be able to see portscan detection under alerts ?Thank you
-
@mihan Snort/Suricata runs "outside" the firewall so if it is is run on WAN it will scan all inbound traffic/packets regardless of firewall rules. If you move it to LAN, it will 1) scan less traffic, and 2) alerts will contain the LAN IP of the device instead of the pfSense WAN IP.
We use Suricata so I can't answer the port scan question.
-
@SteveITS Hi
Thank you for reply. So I need to change to use Snort on LAN interface not WAN is best practice ?
I was thinking if I use it on WAN interface Snort will analyze all incoming traffic from internet before it reaches our LAN (over NAT ) ? -
@mihan You can run it on WAN, if desired. The order of packet flow is:
Internet - Snort - firewall rules WAN - routing - firewall rules LAN (irrelevant for packets from Internet) - LAN devices
On either WAN or LAN it will alert/block.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS said in Snort on pfSense port-scan configuration:
Internet - Snort - firewall rules WAN - routing - firewall rules LAN (irrelevant for packets from Internet) - LAN devices
If running an instance on a WAN and LAN interface simultaneously, the order is:
WAN ingress > Snort WAN instance > WAN ruleset > routing (i.e., WAN egress > LAN ingress) > Snort LAN instance > LAN ruleset > LAN egress
I personally run my 'heaviest duty' IDS/IPS instance on the LAN interface, and then a 'lighter' IDS/IPS instance on the WAN interface with only rules that contemplate open ports.
-
Thank you for reply.
I was running Snort on WAN but I can't see any portscan detection alerts ?
We issued a few port scans over different outsides IPs but there were no alerts under Snort ?
Are we doing something wrong ?
