Need help in conf SNORT to scan internal traffic



  • I need some help in the right way to setup SNORT to scan LAN traffic. What I want to check for are:
    1. any questionable traffic originated  from internal targeting other internal client (worms, malware, zombie .. etc.)
    2. any questionable traffic originated from LAN to external WAN (maleware, worm trying to call out .. etc)

    I found this post https://forum.pfsense.org/index.php?topic=61132.0
    and it basically said
    "You need to redefine your Home Net.  By default Home Net defines the translated addresses on the WAN interface, not the internal LAN addresses.

    1)  Define an Alias representing the networks on your LAN
    2)  Create a "whitelist" (yes, it seems counterintuitive) associated with your Alias.  Make sure all autogenerated IPs categories are unchecked.
    3)  In the interface settings for your LAN, change Home Net to your "whitelist" defining your Home Net.

    You will now start receiving alerts on the LAN interface."

    There were no additional comments on the post. Is it the right approach? The reason I ask is, I follow this setup and the SNORT log is basically just a mirror of the WAN interface withe the "src" and "Dst" columns flipped.

    Thanks in advance.



  • @bwong3351:

    I need some help in the right way to setup SNORT to scan LAN traffic. What I want to check for are:

    Thanks in advance.

    1. any questionable traffic originated  from internal targeting other internal client (worms, malware, zombie .. etc.)

    The only way to do this is with a SPAN (or mirror) port set up in your LAN network switch infrastructure.  Internal traffic on a LAN going from one internal host to another internal host does not traverse your firewall.  It simply goes point-to-point.  Therefore Snort will never see it and can't analyze it.  Now if you configure a suitable SPAN port that accurately gets a copy of all LAN traffic passing through the switch, then you can connect a firewall interface to that port and let Snort sniff it.  Do not use the regular LAN port, though.  You don't want to overload the actual LAN port with all that internal host-to-host traffic being copied off the SPAN port.  In this setup you do not configure Snort to block (it can't block such traffic anyway).  You just let Snort sniff and alert.  That it will do just fine assuming you correctly configure the SPAN port infrastructure.  You will need a capable (as in generally lots of $$) switch to accomplish this.

    Another option is a passive Ethernet tap.  You can Google that term and find some examples.  With a tap in a switched network, placement is key to getting anything.  If the traffic you want to analyze does not traverse the tap, you can't sample it.  In a switched network, the easiest solution is usually a SPAN or mirror port setup in the central switch.

    2. any questionable traffic originated from LAN to external WAN (maleware, worm trying to call out .. etc)

    Snort can see this no matter if you run it on the WAN or the LAN interface.  It is your choice.  Just be aware that Snort puts the sniffed interface in promiscuous mode, so if on the WAN you might see things not specifically targeted at your firewall depending on exactly how your WAN connects to the rest of the outside world.

    Bill


  • Moderator

    To add to Bills comments-

    I use Mikrotik switches to mirror my traffic. They are not that expensive.. under a hundred dollars. Depending on how much traffic you are seeing, it should handle quite a bit of traffic. The good thing about this switch is that you can mirror multiple ports on a single switch.

    http://routerboard.com/RB260GS

    pfSense will monitor all traffic that passes thru the router. But if you want to capture traffic on the Lan, you
    need to put a monitoring interface at every point where you want to look at. So if you want to monitor a file server, you need to mirror/span/tap infront of that interface to see it.

    You can add a nic to pfSense and send the packets to it and use Snort, or another option is using a program called "Security Onion".

    http://blog.securityonion.net/


Log in to reply