• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Alert Question?

Scheduled Pinned Locked Moved pfSense Packages
9 Posts 3 Posters 3.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    serriere
    last edited by Jan 8, 2007, 11:56 PM

    I'm using pfSense 1.01 in conjunction with the Snort package and all is working correctly (pfSesnse has been rock solid !). However, I would like to be able to trace the Snort Alerts to the IP address of the offending system.

    Currently my pfSense box is set up as the gateway/firewall/NAT router/DHCP server on the network and the Snort alerts look like:
    [ ** ] [ 1:2457:2 ] CHAT Yahoo IM message [ ** ] 
    [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
    01/08-15:47:24.903147 XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101
    TCP TTL:127 TOS:0x0 ID:49206 IpLen:20 DgmLen:164 DF
    AP Seq: 0x1C75CC8B Ack: 0x4EC649BC Win: 0xFFFF TcpLen: 20

    Where XX.XXX.XX.XXX is the external IP address of the pfSense box. Is there a simple method or tool though which I, as the network administrator, can determine which local IP (a 192.168.0.xx address) the port is referring to? Any help would be greatly appreciated.

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Jan 9, 2007, 12:09 AM

      @serriere:

      I'm using pfSense 1.01 in conjunction with the Snort package and all is working correctly (pfSesnse has been rock solid !). However, I would like to be able to trace the Snort Alerts to the IP address of the offending system.

      Currently my pfSense box is set up as the gateway/firewall/NAT router/DHCP server on the network and the Snort alerts look like:
      [ ** ] [ 1:2457:2 ] CHAT Yahoo IM message [ ** ] 
      [ Classification: Potential Corporate Privacy Violation ] [ Priority: 1 ] 
      01/08-15:47:24.903147 XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101
      TCP TTL:127 TOS:0x0 ID:49206 IpLen:20 DgmLen:164 DF
      AP Seq: 0x1C75CC8B Ack: 0x4EC649BC Win: 0xFFFF TcpLen: 20

      Where XX.XXX.XX.XXX is the external IP address of the pfSense box. Is there a simple method or tool though which I, as the network administrator, can determine which local IP (a 192.168.0.xx address) the port is referring to? Any help would be greatly appreciated.

      XX.XXX.XX.XXX:53340 -> XX.XXX.XX.XX:5101

      53340 and 5101 are the ports in this case.

      1 Reply Last reply Reply Quote 0
      • S
        serriere
        last edited by Jan 9, 2007, 12:28 AM

        Right. But how/what can I use to determine which local IP the ports are referring to?

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Jan 9, 2007, 12:46 AM

          Not sure I am following you.  The local and remote ip addresses are both listed in the same line.

          1 Reply Last reply Reply Quote 0
          • S
            serriere
            last edited by Jan 9, 2007, 1:02 AM

            That's right, I've got the IP address of the remote host (in this case the yahoo messenger server) and the IP address of my pfSense box. But what I want is the IP address of the machine on my private network behind the pfSense box. Right now all of the internet traffic is passing through the pfSense box, and that is when Snort examines the traffic, but what I really want to know is who on my local network is initiating the traffic.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Jan 9, 2007, 1:09 AM

              I guess you need to enable snort on lan for this too or do some kind of association to a firewallstate via diagnostics>states or some kind of logging package.

              1 Reply Last reply Reply Quote 0
              • S
                serriere
                last edited by Jan 9, 2007, 1:16 AM

                Indeed, it appears that I need to have Snort running on the LAN connection instead of the WAN connection. However, if I do that, I won't be able to detect any external attacks (like portscans). Any thoughts on the security implications of this change? I shouldn't really have to worry about external attacks anyway since the firewall blocks them and logs them too, right? This solutions gives me exactly what I want in that I will be able to detect which local users are causing the Snort alerts, so I think I'm going to give this a try.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Jan 9, 2007, 1:17 AM

                  Shouldn'T it be able to run snort at wan and lan? Try clicking the interfaces while you hold down ctrl and save.

                  1 Reply Last reply Reply Quote 0
                  • S
                    serriere
                    last edited by Jan 9, 2007, 1:24 AM Jan 9, 2007, 1:19 AM

                    Yep I just noticed that as I went to reconfigure!

                    Thanks for your help guys.  ;D

                    [Edit:] In fact, it would appear that Snort does not like to run on multiple interfaces; a bug perhaps?

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received