Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort HOME_NET Settings

    pfSense Packages
    2
    2
    1833
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ESWBitto last edited by

      Ok here is the issue. We are using the latest packaged version of snort and have both wan and lan interfaces setup. I can see traffic on my wan no problem, but my lan's are not picking up anything. I know they are working because when I do a port scan they alert on it and it shows the information. I'm now trying to set it up to where when an alert fires it shows the internal IP and the outside IP as the culprit or vice versa.

      When looking at the snort.config it doesn't show that my ipvar HOME_NET is set to anything. I've been doing some research through the forums and the standard is don't modify the config directly use the gui. So do I follow the instructions of others to setup an alias and use the alias name in the whitelist? I'm not quite sure where to go about getting this setup correctly. I don't want to exclude the internal IP's from being monitored….I know it may create a lot of alerts, but those can be suppressed.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        @ESWBitto:

        Ok here is the issue. We are using the latest packaged version of snort and have both wan and lan interfaces setup. I can see traffic on my wan no problem, but my lan's are not picking up anything. I know they are working because when I do a port scan they alert on it and it shows the information. I'm now trying to set it up to where when an alert fires it shows the internal IP and the outside IP as the culprit or vice versa.

        When looking at the snort.config it doesn't show that my ipvar HOME_NET is set to anything. I've been doing some research through the forums and the standard is don't modify the config directly use the gui. So do I follow the instructions of others to setup an alias and use the alias name in the whitelist? I'm not quite sure where to go about getting this setup correctly. I don't want to exclude the internal IP's from being monitored….I know it may create a lot of alerts, but those can be suppressed.

        There is a fix for this coming in Snort Package version 2.5.8.  Until then, create an Alias containing the firewall's locally attached networks and then create a Whitelist using that Alias along with the WAN IPs, Gateways and DNS Servers (if applicable).  These are all checkboxes on the Whitelist tab when creating a new list.  On the If Settings tab for the interface in Snort, set the HOME_NET variable to the whitelist you created and save the changes.

        Saving the changes on the If Settings tab is very important.  If you skip that step, then the snort.conf file will not get properly created.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post