PFSense and Snort



  • Hi,

    I would like to know what are best practices regarding running Snort on PFsense and using PFsense as FW as well as IDS solution. I instlalled and configured Snort on pfsense without a problem, but Snort has put my interfaces in promiscous mode (WAN inteface as well as LAN interface), thus making them unreachable. Therefore I couldn't connect with VPN to the pfsense anymore and I had to manually reset snort.

    Because Snort puts the interfaces in promiscous mode, I see two solutions:
    1. Disable Snort from going into promiscous mode and sniff only the traffic going through the pfsense box. Is there a way to do that though a web interface?
    2. Create an additional WAN as well as LAN interface and put those intefaces into promiscous mode, which Snort can use. When this option is used I would be able to access the pfsense because WAN1 would be used normally and WAN2 would be in promiscous mode … but I'm not sure whether I can do that as simply as it sounds, because the packets would need to be copied to the second WAN2 inteface as well.

    What are best practices to run Snort on pfsense?

    Thank you



  • @eleanor:

    Hi,

    I would like to know what are best practices regarding running Snort on PFsense and using PFsense as FW as well as IDS solution. I instlalled and configured Snort on pfsense without a problem, but Snort has put my interfaces in promiscous mode (WAN inteface as well as LAN interface), thus making them unreachable. Therefore I couldn't connect with VPN to the pfsense anymore and I had to manually reset snort.

    Not sure I understand what you mean by "unreachable".  I use Snort on three interfaces (WAN, LAN and DMZ) and have no problem using the OpenVPN package for client connections.

    @eleanor:

    What are best practices to run Snort on pfsense?

    Thank you

    Most folks run it on the WAN interface using a combination of Snort VRT and Emerging Threats rules.  My personal recommendation is to run it on both the WAN and LAN interfaces with different rules on each.  For the WAN, I used the ET-CIARMY, ET-RBN and other block list rules containing known poor reputation IPs.  For the LAN side, I use the Snort VRT "Balanced IPS Policy" combined with some of the Emerging Threats Trojan and Worm rules.

    Bill


Log in to reply