Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort local IP

    pfSense Packages
    2
    3
    1239
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sander88 last edited by

      Hi,

      We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

      Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

      Thank for reply and idea's.

      Regards,
      Sander</remote></my>

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @Sander88:

        Hi,

        We have snort running on our PFSense box. It checks the WAN interface. Sometimes I see some outgoing warnings like: <my wan="" ip="">-> <remote server="">. This makes it difficult to see which local client caused the warning. Simply said I would like to see which local IP involved. Is it possible to retrieve this information and add it to the alert screen?

        Currently we do this manually by using the outgoing port and looking it up in the NAT table. But this doesn't work with older alerts as the mapping has already been removed from the NAT table (as it should).

        Thank for reply and idea's.

        Regards,
        Sander</remote></my>

        If you want to see the internal hosts, then you need to run Snort on the LAN interface as well.  If you have enough CPU horsepower and thus don't really care about duplicating effort, you can just run the same rules on both interfaces (WAN and LAN), and block on the WAN and not the LAN.  Or, you could get creative and run certain rules on the WAN and others on the LAN and block on both.  I do this.  I run some of the ET CIARMY and RBN type rules on my WAN.  Then I run the Snort Balanced Policy on my LAN.  There probably some overlap, but I tolerate that for the extra information about which internal host is receiving/sending the traffic.

        Here is a post from another user describing how he did it:  http://forum.pfsense.org/index.php/topic,61132.0.html

        Bill

        1 Reply Last reply Reply Quote 0
        • S
          Sander88 last edited by

          Bill thanks for your reply :). Sounds as pretty good solution, there is enough CPU and free memory to run multiple instances of snort (different interfaces). I will problably only enable the virus and malware rules of snort on the LAN interface. As that's the reasons why I might need the local IP.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy