Enabling Snort on other interfaces



  • I have a pfSense box running with the following interfaces:

    WAN - The connection to the internet
    LAN - Where all the computers are
    DMZ - Where the webserver is (accessible from the internet)
    OpenVPN - All traffic from the LAN and DMZ is tunneled through the OpenVPN tunnel to an OpenVPN server

    I have Snort running on the WAN interface and it's working (since I can see the attack attempts).

    My question is: Do I need to enable Snort on the OpenVPN interface (since that's where all the traffic is going/coming from)? What about the DMZ interface? Or is enabling it on the WAN interface enough to protect all four interfaces?



  • Snort cant check a ssl connection on your wan, so I would run it on all interfaces to keep an eye on whats going across all your other interfaces.


  • Banned

    An d then you would probably kill the firewall memory wise until Bmeeks comes up with a way to get snort going on multiple interfaces without loading all the rulesets more than once….



  • @Supermule:

    An d then you would probably kill the firewall memory wise until Bmeeks comes up with a way to get snort going on multiple interfaces without loading all the rulesets more than once….

    I have it running on WAN and LAN, but I don't recall any error messages(?)



  • @Supermule:

    An d then you would probably kill the firewall memory wise until Bmeeks comes up with a way to get snort going on multiple interfaces without loading all the rulesets more than once….

    Good point!

    Just for reference if anyone wonders how much sort uses memory, I have everything switched on with snort, ie as secure as possible on 4 interfaces and its using up 34% of 4Gb of ram, using the AC-BNFA option.

    FWIW.