Snort local IP



  • Hi,

    We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

    Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

    Thank for reply and idea's.

    Regards,
    Sander</remote></my>



  • @Sander88:

    Hi,

    We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

    Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

    Thank for reply and idea's.

    Regards,
    Sander</remote></my>

    If you want to see the internal hosts, then you need to run Snort on the LAN interface as well.  If you have enough CPU horsepower and thus don't really care about duplicating effort, you can just run the same rules on both interfaces (WAN and LAN), and block on the WAN and not the LAN.  Or, you could get creative and run certain rules on the WAN and others on the LAN and block on both.  I do this.  I run some of the ET CIARMY and RBN type rules on my WAN.  Then I run the Snort Balanced Policy on my LAN.  There probably some overlap, but I tolerate that for the extra information about which internal host is receiving/sending the traffic.

    Here is a post from another user describing how he did it:  http://forum.pfsense.org/index.php/topic,61132.0.html

    Bill



  • Bill thanks for your reply :). Sounds as pretty good solution, there is enough CPU and free memory to run multiple instances of snort (different interfaces). I will problably only enable the virus and malware rules of snort on the LAN interface. As that's the reasons why I might need the local IP.


Log in to reply