Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Alert Question?

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serriere
      last edited by

      I'm using pfSense 1.01 in conjunction with the Snort package and all is working correctly (pfSesnse has been rock solid !). However, I would like to be able to trace the Snort Alerts to the IP address of the offending system.

      Currently my pfSense box is set up as the gateway/firewall/NAT router/DHCP server on the network and the Snort alerts look like:
      [ ** ] [ 1:2457:2 ] CHAT Yahoo IM message [ ** ] 
      [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
      01/08-15:47:24.903147 XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101
      TCP TTL:127 TOS:0x0 ID:49206 IpLen:20 DgmLen:164 DF
      AP Seq: 0x1C75CC8B Ack: 0x4EC649BC Win: 0xFFFF TcpLen: 20

      Where XX.XXX.XX.XXX is the external IP address of the pfSense box. Is there a simple method or tool though which I, as the network administrator, can determine which local IP (a 192.168.0.xx address) the port is referring to? Any help would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        @serriere:

        I'm using pfSense 1.01 in conjunction with the Snort package and all is working correctly (pfSesnse has been rock solid !). However, I would like to be able to trace the Snort Alerts to the IP address of the offending system.

        Currently my pfSense box is set up as the gateway/firewall/NAT router/DHCP server on the network and the Snort alerts look like:
        [ ** ] [ 1:2457:2 ] CHAT Yahoo IM message [ ** ] 
        [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
        01/08-15:47:24.903147 XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101
        TCP TTL:127 TOS:0x0 ID:49206 IpLen:20 DgmLen:164 DF
        AP Seq: 0x1C75CC8B Ack: 0x4EC649BC Win: 0xFFFF TcpLen: 20

        Where XX.XXX.XX.XXX is the external IP address of the pfSense box. Is there a simple method or tool though which I, as the network administrator, can determine which local IP (a 192.168.0.xx address) the port is referring to? Any help would be greatly appreciated.

        XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101

        53340 and 5101 are the ports in this case.

        1 Reply Last reply Reply Quote 0
        • S
          serriere
          last edited by

          Right. But how/what can I use to determine which local IP the ports are referring to?

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Not sure I am following you.  The local and remote ip addresses are both listed in the same line.

            1 Reply Last reply Reply Quote 0
            • S
              serriere
              last edited by

              That's right, I've got the IP address of the remote host (in this case the yahoo messenger server) and the IP address of my pfSense box. But what I want is the IP address of the machine on my private network behind the pfSense box. Right now all of the internet traffic is passing through the pfSense box, and that is when Snort examines the traffic, but what I really want to know is who on my local network is initiating the traffic.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                I guess you need to enable snort on lan for this too or do some kind of association to a firewallstate via diagnostics>states or some kind of logging package.

                1 Reply Last reply Reply Quote 0
                • S
                  serriere
                  last edited by

                  Indeed, it appears that I need to have Snort running on the LAN connection instead of the WAN connection. However, if I do that, I won't be able to detect any external attacks (like portscans). Any thoughts on the security implications of this change? I shouldn't really have to worry about external attacks anyway since the firewall blocks them and logs them too, right? This solutions gives me exactly what I want in that I will be able to detect which local users are causing the Snort alerts, so I think I'm going to give this a try.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Shouldn'T it be able to run snort at wan and lan? Try clicking the interfaces while you hold down ctrl and save.

                    1 Reply Last reply Reply Quote 0
                    • S
                      serriere
                      last edited by

                      Yep I just noticed that as I went to reconfigure!

                      Thanks for your help guys.  ;D

                      [Edit:] In fact, it would appear that Snort does not like to run on multiple interfaces; a bug perhaps?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.