Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort local IP

    pfSense Packages
    2
    3
    1257
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sander88 last edited by

      Hi,

      We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

      Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

      Thank for reply and idea's.

      Regards,
      Sander</remote></my>

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @Sander88:

        Hi,

        We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

        Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

        Thank for reply and idea's.

        Regards,
        Sander</remote></my>

        If you want to see the internal hosts, then you need to run Snort on the LAN interface as well.  If you have enough CPU horsepower and thus don't really care about duplicating effort, you can just run the same rules on both interfaces (WAN and LAN), and block on the WAN and not the LAN.  Or, you could get creative and run certain rules on the WAN and others on the LAN and block on both.  I do this.  I run some of the ET CIARMY and RBN type rules on my WAN.  Then I run the Snort Balanced Policy on my LAN.  There probably some overlap, but I tolerate that for the extra information about which internal host is receiving/sending the traffic.

        Here is a post from another user describing how he did it:  http://forum.pfsense.org/index.php/topic,61132.0.html

        Bill

        1 Reply Last reply Reply Quote 0
        • S
          Sander88 last edited by

          Bill thanks for your reply :). Sounds as pretty good solution, there is enough CPU and free memory to run multiple instances of snort (different interfaces). I will problably only enable the virus and malware rules of snort on the LAN interface. As that's the reasons why I might need the local IP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post