Snort on Lan & Wan

wbennett77

Howdy,

I am a new user and I currently have Snort running on the Lan using VRT rules (Paid). I would like to also run Snort on the Wan using the Emerging Threats rules but I am not sure how to do this without affecting the Lan rules. Thanks for your help.

bmeeks

@wbennett77:

Howdy,

I am a new user and I currently have Snort running on the Lan using VRT rules (Paid). I would like to also run Snort on the Wan using the Emerging Threats rules but I am not sure how to do this without affecting the Lan rules. Thanks for your help.

My suggestion in a NAT environment is to run all of your rules on the LAN side excepting only any ET rules that are direct IP address drops like the old ET-CIARMY and the current ET-CINS and ET-DROP rules.  When you have a NAT setup and run rules on your WAN interface, all the "internal" IP addresses will show up as your WAN IP.  This means if you have an infected PC on your LAN that triggers say one of those ET rules you want to put just on your WAN, then you can't find the PC that triggered the rule because the only internal IP you have to search with in the alert is the WAN IP.

On the other hand, if you put all the malware, Trojan and other such threats rules on the LAN, then when they trigger you will get the real IP of the infected internal host along with what ever destination host it attempted to communicate with.  Now if you have public IP space on both sides, then it does not matter where you put your rules.

Bill

wbennett77

Thanks Bill,
So if I read your response correctly, in my situation I should just use the VRT and the ET rules on the lan except for the few ET you mentioned? How would I identify which ET rules that are direct IP drops besides the three you spoke about?

fsansfil

These are really diffenrent schools of thoughts. Some say dont put an IDS on WAN, others will say put it mostly on WAN…etc.

Bear in mind that some vunerability will only happen on WAN...like NTP and DNS amplification, vulnerabilites that are against your firewall and not your hosts...etc.

I say put and IDS on all interface where you want to block/analyse/log traffic based on packet/payload inspection.

But since you are starting with Snort, depending on your RAM config, services running and the number of users...try it on both interfaces and see for yourself. Then just progressively disable the rules you want...

F.

bmeeks

@wbennett77:

Thanks Bill,
How would I identify which ET rules that are direct IP drops besides the three you spoke about?

The rule text will just be a long list of IP addresses.  It's not terribly critical that they go on just the WAN, though.

As another poster mentioned, there is some debate on the merits of where to put IDS rules (WAN, LAN or both).  I find that for most home users with NAT, putting the rules on the LAN side helps you better find any infected hosts without a lot of searching.  On the other hand, most home networks are small enough that even a brute-force search of all the machines would not take very long.  For me I just like the convenience of having the offending host's real IP immediately available in the alert message on the ALERTS tab.

Bill