Port mirroring?



  • Hello, I would like to implement port mirroring on the pfsense firewall to route traffic through a SNORT box for traffic analysis.

    I read some old post about hacking "filter.inc". I don't have a lot of experience with BSD or linux for that matter but I want to learn.

    Can anyone point in the direction of a good book or web post on the matter? Or maybe there is a better way to implement this using a SNORT box?

    Any help is appreciated. Thanks in advance.


  • Rebel Alliance Developer Netgate

    You can do this on 2.0. When you setup a bridge, click the advanced options button and choose the snort interface as the "span port".



  • @jimp:

    You can do this on 2.0. When you setup a bridge, click the advanced options button and choose the snort interface as the "span port".

    Thank you  :)

    OK, I will have to do some research on bridging. Since the pfSense firewall will be doing a lot of processing due to mirroring all the traffic, is there a recommended minimum hardware requirement needed?



  • Also, would it be better to mirror traffic from a switch rather than the pfSense box?



  • @amrogers3:

    Also, would it be better to mirror traffic from a switch rather than the pfSense box?

    bumpity bump.


  • Netgate Administrator

    I'm not sure I understand the question. Do you mean would it be better to use the switch for port mirroring?
    If so then yes, if your switch supports it, as it won't load your pfSense box.

    Steve



  • @stephenw10:

    I'm not sure I understand the question. Do you mean would it be better to use the switch for port mirroring?
    If so then yes, if your switch supports it, as it won't load your pfSense box.

    Steve

    Hi Steve, yes that was my question. I will use a switch then.


Log in to reply