Enabling Snort on other interfaces
-
I have a pfSense box running with the following interfaces:
WAN - The connection to the internet
LAN - Where all the computers are
DMZ - Where the webserver is (accessible from the internet)
OpenVPN - All traffic from the LAN and DMZ is tunneled through the OpenVPN tunnel to an OpenVPN serverI have Snort running on the WAN interface and it's working (since I can see the attack attempts).
My question is: Do I need to enable Snort on the OpenVPN interface (since that's where all the traffic is going/coming from)? What about the DMZ interface? Or is enabling it on the WAN interface enough to protect all four interfaces?
-
Snort cant check a ssl connection on your wan, so I would run it on all interfaces to keep an eye on whats going across all your other interfaces.
-
An d then you would probably kill the firewall memory wise until Bmeeks comes up with a way to get snort going on multiple interfaces without loading all the rulesets more than once….
-
An d then you would probably kill the firewall memory wise until Bmeeks comes up with a way to get snort going on multiple interfaces without loading all the rulesets more than once….
I have it running on WAN and LAN, but I don't recall any error messages(?)
-
An d then you would probably kill the firewall memory wise until Bmeeks comes up with a way to get snort going on multiple interfaces without loading all the rulesets more than once….
Good point!
Just for reference if anyone wonders how much sort uses memory, I have everything switched on with snort, ie as secure as possible on 4 interfaces and its using up 34% of 4Gb of ram, using the AC-BNFA option.
FWIW.