SNORT Alerts



  • First off, a disclaimer:  I'm relatively new to pfSense and a complete newbie with intrusion detection.  So if my question seems dumb or obvious, that's why.  :)

    I just installed SNORT yesterday.  It seems to be functioning and generating alerts.  The odd thing is that the alerts show the source as the WAN IP of pfSense and the destination as a random address on the Internet.

    For someone trying to intrude on us, I expected it to be the other way around:  Source would be some random IP address and destination would be our WAN address.

    Am I reading this wrong?


  • Moderator

    If you add a Snort "LAN" Interface, you will see the Local IPs that generated the Alert.



  • Thanks, BBcan.

    I just enabled Snort on LAN.  The alerts don't show any local IP addresses.  Will they only show up for issues that occur from this point forward or should it be showing local IPs for the existing entries?


  • Moderator

    Yes it will only show Alerts from when you enabled the "Lan" Interface.



  • OK.  I'll keep an eye on it.



  • @Sabbec:

    OK.  I'll keep an eye on it.

    Simplifying things a bit, Snort sees traffic on the WAN interface with NAT in place, while on the LAN interface it sees the traffic before NAT (for outbound traffic) and after NAT (for inbound traffic).  That means on the WAN side all incoming and outgoing traffic seen by Snort appears to be destined for or coming from the WAN IP address.  The NAT will happen later down the chain after Snort has seen the traffic.  Thus in a NAT setup, Snort on the WAN will always see everything on your local network as originating from or destined to your WAN IP instead of the real local addresses behind the NAT firewall.

    When you run Snort on the LAN as well, then it sees the traffic with the pre-NAT actual local IP addresses.  So all the IP addresses logged in the alerts are more informative.

    My recommendation for home users and small commercial users is to run most- if not all- of the Snort rules on the LAN interface and very few (or even none) on the WAN interface.  This is for a NAT setup.  This way the logged IP addresses in the alerts will be easy to track down.

    Bill



  • That helps quite a bit.  Thanks for the info, Bill!



  • Thanks bmeeks,

    I have a small lan but have only ever listened on my Wan interface.

    Are you saying it's better to listen on Lan just so you can see which internal client is being targeted or responding to something dodgy?

    I would have thought you would want Wan with all or most rules as it's better to capture or stop elements before it reaches your Lan interface?

    Hope I'm not starting a Lan, Wan War here now  :P



  • @FlashPan:

    Thanks bmeeks,

    I have a small lan but have only ever listened on my Wan interface.

    Are you saying it's better to listen on Lan just so you can see which internal client is being targeted or responding to something dodgy?

    I would have thought you would want Wan with all or most rules as it's better to capture or stop elements before it reaches your Lan interface?

    Hope I'm not starting a Lan, Wan War here now  :P

    My view for home users is it's better to analyze the LAN traffic so you can easily track down any internal problems by IP address.  Since the usual default for home users is "deny all unsolicited inbound" traffic on the WAN, there is not a huge risk for something coming in that an internal host did not first ask for.  Or stated another way, properly configured and not loaded down with tons of packages, your pfSense firewall itself  (the WAN IP) presents a very limited attack surface.  The bigger worry in my view is all the hosts on the internal networks.  Those are the ones that will be visiting potential problem web sites, downloading files, and opening possibly malicious e-mails.

    Bill


Log in to reply