Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort local IP

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sander88
      last edited by

      Hi,

      We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

      Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

      Thank for reply and idea's.

      Regards,
      Sander</remote></my>

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @Sander88:

        Hi,

        We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

        Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

        Thank for reply and idea's.

        Regards,
        Sander</remote></my>

        If you want to see the internal hosts, then you need to run Snort on the LAN interface as well.  If you have enough CPU horsepower and thus don't really care about duplicating effort, you can just run the same rules on both interfaces (WAN and LAN), and block on the WAN and not the LAN.  Or, you could get creative and run certain rules on the WAN and others on the LAN and block on both.  I do this.  I run some of the ET CIARMY and RBN type rules on my WAN.  Then I run the Snort Balanced Policy on my LAN.  There probably some overlap, but I tolerate that for the extra information about which internal host is receiving/sending the traffic.

        Here is a post from another user describing how he did it:  http://forum.pfsense.org/index.php/topic,61132.0.html

        Bill

        1 Reply Last reply Reply Quote 0
        • S
          Sander88
          last edited by

          Bill thanks for your reply :). Sounds as pretty good solution, there is enough CPU and free memory to run multiple instances of snort (different interfaces). I will problably only enable the virus and malware rules of snort on the LAN interface. As that's the reasons why I might need the local IP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.