Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort destination LAN IP

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 904 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heli0s
      last edited by

      Currently, I have Snort setup on pfSense with the Connectivity IPS policy (block src and dst). Everything works as it should, however, the issue that I'm having is that when Snort blocks something, I can only see my WAN address and the address of the remote server. Is there a way for me to see the local LAN IP that caused the alert (or was the target of the attack), to see if one of my computers got infected or is misbehaving?

      1 Reply Last reply Reply Quote 0
      • W
        Wolf666
        last edited by

        The only way is to run snort also in LAN (as I do). I use the same rules for both WAN and LAN. There is a long sticky thread with some advises on that.

        Modem Draytek Vigor 130
        pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
        Switch Cisco SG350-10
        AP Netgear R7000 (Stock FW)
        HTPC Intel NUC5i3RYH
        NAS Synology DS1515+
        NAS Synology DS213+

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.