Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort on LAN interface

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shawniverson
      last edited by

      Just wanted to post this little tidbit.  Hopefully others will benefit.

      If you want to use snort to monitor your LAN in addition to your WAN (perhaps to locate hosts with suspicious activity on the inside, such as malware trying to call out)…

      You need to redefine your Home Net.  By default Home Net defines the translated addresses on the WAN interface, not the internal LAN addresses.

      1)  Define an Alias representing the networks on your LAN
      2)  Create a "whitelist" (yes, it seems counterintuitive) associated with your Alias.  Make sure all autogenerated IPs categories are unchecked.
      3)  In the interface settings for your LAN, change Home Net to your "whitelist" defining your Home Net.

      You will now start receiving alerts on the LAN interface.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.