Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort on pfSense port-scan configuration

    IDS/IPS
    3
    6
    397
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mihan
      last edited by mihan

      Hi

      I have installed Snort on pfSense and enabled all default features. For now, we're using it only in 'monitor' mode (blocking mode is disabled).
      Since we have services behind our pfSense (mostly web services) and doing NAT from public IPs to private IPs that are running web services I have enabled Snort on WAN interface.
      Under alerts I see some alerts like
      SERVER-WEBAPP TP-Link Archer Router command injection attempt
      SERVER-OTHER Apache Log4j logging remote code execution attempt

      I have also enabled portscan detection function (default options) under Interface - WAN Preprocs But I can't see any alerts that will show us if port-scanning was issued. We did a port scan from outside network but Snort didn't detect and reports any alerts that port scanning is going on.
      Am I missing something here so we'll be able to see portscan detection under alerts ?

      Thank you

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @mihan
        last edited by

        @mihan Snort/Suricata runs "outside" the firewall so if it is is run on WAN it will scan all inbound traffic/packets regardless of firewall rules. If you move it to LAN, it will 1) scan less traffic, and 2) alerts will contain the LAN IP of the device instead of the pfSense WAN IP.

        We use Suricata so I can't answer the port scan question.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 1 Reply Last reply Reply Quote 0
        • M
          mihan @SteveITS
          last edited by

          @SteveITS Hi

          Thank you for reply. So I need to change to use Snort on LAN interface not WAN is best practice ?
          I was thinking if I use it on WAN interface Snort will analyze all incoming traffic from internet before it reaches our LAN (over NAT ) ?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @mihan
            last edited by

            @mihan You can run it on WAN, if desired. The order of packet flow is:

            Internet - Snort - firewall rules WAN - routing - firewall rules LAN (irrelevant for packets from Internet) - LAN devices

            On either WAN or LAN it will alert/block.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            C M 2 Replies Last reply Reply Quote 0
            • C
              cyberconsultants @SteveITS
              last edited by

              @SteveITS said in Snort on pfSense port-scan configuration:

              Internet - Snort - firewall rules WAN - routing - firewall rules LAN (irrelevant for packets from Internet) - LAN devices

              If running an instance on a WAN and LAN interface simultaneously, the order is:

              WAN ingress > Snort WAN instance > WAN ruleset > routing (i.e., WAN egress > LAN ingress) > Snort LAN instance > LAN ruleset > LAN egress

              I personally run my 'heaviest duty' IDS/IPS instance on the LAN interface, and then a 'lighter' IDS/IPS instance on the WAN interface with only rules that contemplate open ports.

              1 Reply Last reply Reply Quote 1
              • M
                mihan @SteveITS
                last edited by

                @SteveITS

                Thank you for reply.
                I was running Snort on WAN but I can't see any portscan detection alerts ?
                We issued a few port scans over different outsides IPs but there were no alerts under Snort ?
                Are we doing something wrong ?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post