Snort in transparent mode

  • Hi,

    I have tried searching for an answer to the question "Can i use Snort on a pfsense 2.1 box in transparent mode?" but all i find are threads for old versions, or indicating a lot of modifications to configuration files that I'm not 100% comfortable with.

    If yes, are there any good guides/how-tos out there?

  • What do you mean? Snort is not a proxy like squid.

  • Exactly, it analyses traffic passing through the firewall and blocks bad traffic. It should be capable of doing so when pfSense is in transparent (bridged) mode as well, just as you can add firewall rules on a transparent box.

  • pfSense is essentially a router, which is never transparent. Clients need to have a proper gateway address. Squid, the web proxy, can bei either transparent or opaque (requiring special browser settings).

    Snort itself is rather passive and reports only. When you use additional software like spoink or snortsam, there is some feedback mechanism that modifies the firewall to block offenders.

    Maybe this helps a bit to sort out how things work together.

  • pfSense can be deployed and is being deployed in "transparent" bridge mode, not only as a router.

    Whether pfSense's snort-package can work correctly in such a configuration, I'm not quite sure though …

  • Yes, there are other threads dealing with this topic and "System: Advanced: System Tunables" has a few parameters that contain the word "bridge". I have a few APs running as plain bridges, but never thought of using pfSense as a bridge. At least I understand now to some degree why this setup could make any sense  :)

  • Snort listens on network interface(s). It doesn't matter if they're bridged, routed, NATed, or just a span port from a switch that isn't involved in moving/filtering the traffic of the network at all. It's all the same.

Log in to reply