Snort on LAN Interface



  • I have Snort running on all interfaces that are facing the internet (WAN/DMZ), however, I've also seen people run it on the LAN interface. Is that something that's necessary and if so, what kind of security does it give the network?



  • My understanding is that it offers no actual protection… It's more of a logging/reporting tool so you are able to see what is happening on the interfaces you choose to run it on. Running it LAN side would perhaps let you see if a host is sending stuff somewhere you wouldn't want...

    That's my understanding anyway!



  • Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.



  • @timthetortoise:

    Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

    This is exactly why I also have it running on LAN. Where it keeps complaining that I have a network trojan on my PC, even after I freshly reinstalled Windows 7 (only, so no additional apps), from the MS DVD I bought myself  ;D



  • @timthetortoise:

    Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

    Well explained.  Since most folks use NAT, if you only run Snort on the WAN interface, you never know which internal host triggered an alert because the logs will show only the external host and your WAN IP address.  If you run Snort on the LAN side, then the logs show the internal pre-NAT address of your internal hosts and the external offender's IP.  You don't need to run the same rules on both the LAN and WAN, though.  I run the generic blocking stuff (ET CINS, ET RBN, etc.) on the WAN side.  On my LAN side I run the other rules such as Snort Balanced IPS Policy and a few of the ET Trojan and other rule categories.

    Bill



  • @Hollander:

    @timthetortoise:

    Snort is configurable as an IDS (no blocking, only logging and alerting), or an IPS (blocking, logging, and alerting). You will want to set your "home" networks for your internal ranges if they aren't already set up on pfSense, and then should be able to safely use it on your LAN interface with blocking enabled. It helps a lot to let you know who's causing alerts on the WAN side. If, for example, you get a CNC shadowserver alert on your WAN side, you can check your LAN side to see exactly which client triggered it, and take whatever measures to get rid of the threat on that client machine.

    This is exactly why I also have it running on LAN. Where it keeps complaining that I have a network trojan on my PC, even after I freshly reinstalled Windows 7 (only, so no additional apps), from the MS DVD I bought myself  ;D

    Add definite false positives to your suppression list.



  • First of all, sorry for necroing an old thread, but since it is related to something already discussed here I think it makes more sense than opening a new one.

    You don't need to run the same rules on both the LAN and WAN, though.  I run the generic blocking stuff (ET CINS, ET RBN, etc.) on the WAN side.  On my LAN side I run the other rules such as Snort Balanced IPS Policy and a few of the ET Trojan and other rule categories.

    I understand why there is no need to run snort with the same rules on both LAN and WAN, but if you set all of the rules you would like on the LAN side, why would you need to have snort on your WAN at all?

    I mean, what are the advantages of running some rules on WAN and some rules on LAN vs just running everything on LAN?



  • If you are running multiple WAN connections, it may be necessary to see which side is getting hit by a certain alert.


Log in to reply