SNORT issues in BRIDGE and VLAN'ed Environment



  • Hi All,
    We've set a Lab Environment to implement a transparent bridge between internet traffic and customers network behind the bridge (customers networks are on VLAN).

    1. We setup the BRIDGE based on PFSENSE 2.0 Release by creating the proper VLAN on the external interface and a VLAN on the internal interface then BRIDGE'd them together into a BRIDGE interface (let say interface BRIDGE0). it's a physical machine with 3 network cards (1 of them is for management), dual CPU 3Ghz and 3GB of RAM, we're running a 32bit version of pfsense v2.0

    2. We tested the traffic in and out and it worked well, the filtering is set to be on the bridge interface (net.link.bridge.pfil_onlyip=4, net.link.bridge.pfil_member=0 , net.link.bridge.pfil_bridge=1), at this stage everything work as expected in this VLAN'ed environment and customers still have/keep their public IP's (which is our main target)

    3. We've installed snort 2.9.0.5 pkg v. 2.0 and enabled it on the BRIDGE interface + the usual OINCMASTER + checking some categories/rules (WEB, SMTP, SCAN and DDOS) as well as checking all the boxes on the preprocessor tab, leaving Banyard2 disabled.

    4. we started the SNORT service

    In exception of the standard traffic (by putting some servers in this lab environment) we did try to force some traffic from outside to inside by artificially scanning and exploiting using some nice tools out there (for example BackTrack), however we didn't see any alert generated by SNORT!!!

    • We did try to enable the ICMP and categories DNS rules in snort and emergingthreads rules, and this triggered some alerts BUT only when the traffic started from the INSIDE and the customer IP was blocked at that stage.
    • We tried with every other standard rule to trigger the alert for the traffic coming from the outside and there was no luck.
    • We've changed the interface mapped to the external or the internal but it's the same behaviour.

    I've been reading arround the forum and I don't seem to find a confirmation if SNORT really work in transparent bridge mode, does anybody got this type of setup working? can anyone confirm that snort is working in VLAN Bridged environment?

    BTW: the snort service just crashes after a random time of running, and the service has to be start manually again, even after an uninstall/reinstall of the package and lowering down the memory and performance level.

    Can anyone help pointing out some idea what could be wrong in our setup?
    Thanks.
    A.J.


Log in to reply