Can Snort block when connected to a span port?



  • I have never used a span port with an IPS.  Is snort able to block traffic via a span port, or do I have to use an inline connection with two nics?  I want to have my snort box on a WAN switch if I can use a port span.  If not, I will use the dual nic and plug in before the router.  I have multiple static IP addresses.  Thanks.



  • @newbieuser1234:

    I have never used a span port with an IPS.  Is snort able to block traffic via a span port, or do I have to use an inline connection with two nics?  I want to have my snort box on a WAN switch if I can use a port span.  If not, I will use the dual nic and plug in before the router.  I have multiple static IP addresses.  Thanks.

    Snort on pfSense is not truly "inline".  Instead, it adds rules to the existing firewall set to block particular IP addresses.  Technically a third-party output plugin called Spoink works within Snort on pfSense to stick offending IP addresses into the pf engine's blocking table.

    So when used on pfSense, a SPAN port would really not be of much use.  Unless the traffic is coming through the pfSense firewall Snort is running on, any blocks put in place would be meaningless.

    Now if all you want is just to get alerts, then a SPAN port connection would do that.  Just be aware that no actual blocking would happen for every offending IP.  Only those which actually needed to traverse the firewall would be impacted by any block.

    Bill


Log in to reply