Possible to make Snort block IP on specific interface



  • Second related question, is it possible to have Snort block only on the interface it is configured for?

    Our setup: We have public WiFi and staff networks both being handled by our pfSense router.  We have Snort setup on the "public wifi" network to be extremely restrictive.  This is causing problems because it is blocking the offending IPs for ALL interfaces instead of just the interface it has been configured on.

    Is setting up a second (third, fourth, etc.) pfSense box for every network I want to Snort my only solution so that they do not interfere with each other my only option, or is there a way to get Snort to only block on the interface it has been configured on?



  • Snort and IPS/IDS in general is not a turn on once and leave it running kind of solution. You need to asses if the alerts being triggered are false positives or not and add suppress / pass lists based on your needs.