Snort Alert Question?



  • I'm using pfSense 1.01 in conjunction with the Snort package and all is working correctly (pfSesnse has been rock solid !). However, I would like to be able to trace the Snort Alerts to the IP address of the offending system.

    Currently my pfSense box is set up as the gateway/firewall/NAT router/DHCP server on the network and the Snort alerts look like:
    [ ** ] [ 1:2457:2 ] CHAT Yahoo IM message [ ** ] 
    [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
    01/08-15:47:24.903147 XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101
    TCP TTL:127 TOS:0x0 ID:49206 IpLen:20 DgmLen:164 DF
    AP Seq: 0x1C75CC8B Ack: 0x4EC649BC Win: 0xFFFF TcpLen: 20

    Where XX.XXX.XX.XXX is the external IP address of the pfSense box. Is there a simple method or tool though which I, as the network administrator, can determine which local IP (a 192.168.0.xx address) the port is referring to? Any help would be greatly appreciated.



  • @serriere:

    I'm using pfSense 1.01 in conjunction with the Snort package and all is working correctly (pfSesnse has been rock solid !). However, I would like to be able to trace the Snort Alerts to the IP address of the offending system.

    Currently my pfSense box is set up as the gateway/firewall/NAT router/DHCP server on the network and the Snort alerts look like:
    [ ** ] [ 1:2457:2 ] CHAT Yahoo IM message [ ** ] 
    [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
    01/08-15:47:24.903147 XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101
    TCP TTL:127 TOS:0x0 ID:49206 IpLen:20 DgmLen:164 DF
    AP Seq: 0x1C75CC8B Ack: 0x4EC649BC Win: 0xFFFF TcpLen: 20

    Where XX.XXX.XX.XXX is the external IP address of the pfSense box. Is there a simple method or tool though which I, as the network administrator, can determine which local IP (a 192.168.0.xx address) the port is referring to? Any help would be greatly appreciated.

    XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101

    53340 and 5101 are the ports in this case.



  • Right. But how/what can I use to determine which local IP the ports are referring to?



  • Not sure I am following you.  The local and remote ip addresses are both listed in the same line.



  • That's right, I've got the IP address of the remote host (in this case the yahoo messenger server) and the IP address of my pfSense box. But what I want is the IP address of the machine on my private network behind the pfSense box. Right now all of the internet traffic is passing through the pfSense box, and that is when Snort examines the traffic, but what I really want to know is who on my local network is initiating the traffic.



  • I guess you need to enable snort on lan for this too or do some kind of association to a firewallstate via diagnostics>states or some kind of logging package.



  • Indeed, it appears that I need to have Snort running on the LAN connection instead of the WAN connection. However, if I do that, I won't be able to detect any external attacks (like portscans). Any thoughts on the security implications of this change? I shouldn't really have to worry about external attacks anyway since the firewall blocks them and logs them too, right? This solutions gives me exactly what I want in that I will be able to detect which local users are causing the Snort alerts, so I think I'm going to give this a try.



  • Shouldn'T it be able to run snort at wan and lan? Try clicking the interfaces while you hold down ctrl and save.



  • Yep I just noticed that as I went to reconfigure!

    Thanks for your help guys.  ;D

    [Edit:] In fact, it would appear that Snort does not like to run on multiple interfaces; a bug perhaps?


Locked