SNORT and transparent firewall
I have a Pfsense box setup as firewall in transparent mode (bridged). I have also a SNORT package configured on the WAN zone (there is a bridge between WAN and DMZ).
In the system log I get no error message regarding SNORT all is looking normal, the problem is that I don't get any alerts on the SNORT interface and this is impossible is like the system is not working.
Any advice on how I can debug this problem?
As far as I can remember snort does not run in a bridge unless you manually set up the home net and external net. Try going into the snort interface settings (Services>snort>e button to your right) scroll down and click view list next to home net. Post the output of that. Change IPs to protect the innocent.
I have there the
220.127.116.11 –Google DNS
10.0.0.0/24 --NAT LAN
The gateway IP (ISP gateway)
public firewall IP
And this is all the rest of the IPs for the servers that are behind the transparent firewall are not listed here. Should I list them?
http://forum.pfsense.org/index.php/topic,63589.msg345194.html#msg345194 should have posted this earlier, please see bmeeks's and my posts there. I'm still thinking it's something along those lines.
Ok is working.
I have created an alias in firewall > aliases. In the alias I have added all the IPs that I am using behind the transparent firewall.
Then in Services > snort > whitelist I have created a list called homenetwork and added to the list the alias list from firewall alias list.
Editing the snort interface I have changed the Home Net from default to the new created list.
Everything is working now.
Glad I could help. Snort not working in a transparent bridge is almost guaranteed to be caused by incorrect automatic IP assignments to the variables, just for future google reference.