Snort not working on the LAN interface?



  • I am trying to figure out why my Snort will not work on the LAN interface. I originally had it running on the WAN interface and it worked fine. I noticed some alerts with regards to Trojan but the source IP was my WAN interface, not the culprit within my network. So I made a LAN interface and used the same IPS policy (connectivity) and rules (I have a Snort subscription) and I get no alerts. The interface goes active without any issues but I do not receive any alerts at all.  This is my home network so it isn't the end of the world but I would like for it to work.

    This is how my network is laid out:

    LAN => WAP / Switch => pfSense / Snort => Internet



  • Does the lack of response mean no one knows the answer to this? I am a gold member and see nothing about this in the guide so I am hoping someone out of the people who visit these boards knows something.


  • Moderator

    @zerodamage:

    Does the lack of response mean no one knows the answer to this? I am a gold member and see nothing about this in the guide so I am hoping someone out of the people who visit these boards knows something.

    This is probably related to the "Rules" error from your other post. Try to get the rules to download first before troubleshoot this issue.

    Everyone here in the Package sections does this for free and because they want to support the community of pfSense., the money you pay to ESF is for the Base pfSense Software.

    Always search the Forum and try to google the issue, before posting. Most issues are already known or solutions are already posted.

    BTW- Welcome to our community…



  • @BBcan177:

    @zerodamage:

    Does the lack of response mean no one knows the answer to this? I am a gold member and see nothing about this in the guide so I am hoping someone out of the people who visit these boards knows something.

    This is probably related to the "Rules" error from your other post. Try to get the rules to download first before troubleshoot this issue.

    Everyone here in the Package sections does this for free and because they want to support the community of pfSense., the money you pay to ESF is for the Base pfSense Software.

    Always search the Forum and try to google the issue, before posting. Most issues are already known or solutions are already posted.

    BTW- Welcome to our community…

    No, my other post is about a different package from Snort. Due to a lack of any kind of solution to the Snort problem, I decided to get Suricata a try which so far is working.

    The money I paid is because I want to support pfsense development.

    I did search Google and the forums. This isn't my first time to the rodeo.



  • @zerodamage:

    I am trying to figure out why my Snort will not work on the LAN interface. I originally had it running on the WAN interface and it worked fine. I noticed some alerts with regards to Trojan but the source IP was my WAN interface, not the culprit within my network. So I made a LAN interface and used the same IPS policy (connectivity) and rules (I have a Snort subscription) and I get no alerts. The interface goes active without any issues but I do not receive any alerts at all.  This is my home network so it isn't the end of the world but I would like for it to work.

    This is how my network is laid out:

    LAN => WAP / Switch => pfSense / Snort => Internet

    There may simply be nothing too nefarious happening in your LAN.  I get maybe one or two alerts per week on my LAN.  I get a ton on my WAN, but that's because I run some IP Reputation rules there and known spammer and other malicious IPs make connection attempts.  Also remember that Snort puts the interface it runs on in promiscuous mode, so that would mean the WAN sees a lot of extra stuff, for example.

    If you want to test Snort on your LAN, install a tool like nmap on a host and scan your firewall.  That should trigger some alerts.

    Bill