Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort on LAN Interface

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 6 Posters 9.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heli0s
      last edited by

      I have Snort running on all interfaces that are facing the internet (WAN/DMZ), however, I've also seen people run it on the LAN interface. Is that something that's necessary and if so, what kind of security does it give the network?

      1 Reply Last reply Reply Quote 0
      • S
        smoothmove
        last edited by

        My understanding is that it offers no actual protection… It's more of a logging/reporting tool so you are able to see what is happening on the interfaces you choose to run it on. Running it LAN side would perhaps let you see if a host is sending stuff somewhere you wouldn't want...

        That's my understanding anyway!

        1 Reply Last reply Reply Quote 0
        • T
          timthetortoise
          last edited by

          Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

          1 Reply Last reply Reply Quote 0
          • M
            Mr. Jingles
            last edited by

            @timthetortoise:

            Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

            This is exactly why I also have it running on LAN. Where it keeps complaining that I have a network trojan on my PC, even after I freshly reinstalled Windows 7 (only, so no additional apps), from the MS DVD I bought myself  ;D

            6 and a half billion people know that they are stupid, agressive, lower life forms.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @timthetortoise:

              Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

              Well explained.  Since most folks use NAT, if you only run Snort on the WAN interface, you never know which internal host triggered an alert because the logs will show only the external host and your WAN IP address.  If you run Snort on the LAN side, then the logs show the internal pre-NAT address of your internal hosts and the external offender's IP.  You don't need to run the same rules on both the LAN and WAN, though.  I run the generic blocking stuff (ET CINS, ET RBN, etc.) on the WAN side.  On my LAN side I run the other rules such as Snort Balanced IPS Policy and a few of the ET Trojan and other rule categories.

              Bill

              1 Reply Last reply Reply Quote 0
              • T
                timthetortoise
                last edited by

                @Hollander:

                @timthetortoise:

                Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

                This is exactly why I also have it running on LAN. Where it keeps complaining that I have a network trojan on my PC, even after I freshly reinstalled Windows 7 (only, so no additional apps), from the MS DVD I bought myself  ;D

                Add definite false positives to your suppression list.

                1 Reply Last reply Reply Quote 0
                • C
                  cogumel0
                  last edited by

                  First of all, sorry for necroing an old thread, but since it is related to something already discussed here I think it makes more sense than opening a new one.

                  You don't need to run the same rules on both the LAN and WAN, though.  I run the generic blocking stuff (ET CINS, ET RBN, etc.) on the WAN side.  On my LAN side I run the other rules such as Snort Balanced IPS Policy and a few of the ET Trojan and other rule categories.

                  I understand why there is no need to run snort with the same rules on both LAN and WAN, but if you set all of the rules you would like on the LAN side, why would you need to have snort on your WAN at all?

                  I mean, what are the advantages of running some rules on WAN and some rules on LAN vs just running everything on LAN?

                  1 Reply Last reply Reply Quote 0
                  • T
                    timthetortoise
                    last edited by

                    If you are running multiple WAN connections, it may be necessary to see which side is getting hit by a certain alert.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.