Snort on vpn connections??



  • Hi all,

    I have installed an openvpn client directly in pfsense to my vpn provider. This is running over an VPN_WAN and a VPN_GATEWAY.
    Everything is working so far, it gets the correct DNS by DHCP, the IP is "correct", the routing seems fine.

    But now I want to use snort on my box. And I tried to use snort on VPN_WAN but that doesn't seem to work correctly because the traffic is encrypted of course. So I get a lot of alerts on just surfing normal websites, they are endless, most of them (http_inspect) UNKNOWN METHOD.

    How can I achieve snorting a vpn connection, normally the snort has to be placed after the traffic is decrypted but also on VPNLAN it's the same behaviour.

    If I use snort on my normal WAN connection there are way not so much alters. I am using it in connectivity mode anyway.

    Is there any solution for this?

    Cheers



  • @sense678:

    Hi all,

    I have installed an openvpn client directly in pfsense to my vpn provider. This is running over an VPN_WAN and a VPN_GATEWAY.
    Everything is working so far, it gets the correct DNS by DHCP, the IP is "correct", the routing seems fine.

    But now I want to use snort on my box. And I tried to use snort on VPN_WAN but that doesn't seem to work correctly because the traffic is encrypted of course. So I get a lot of alerts on just surfing normal websites, they are endless, most of them (http_inspect) UNKNOWN METHOD.

    How can I achieve snorting a vpn connection, normally the snort has to be placed after the traffic is decrypted but also on VPNLAN it's the same behaviour.

    If I use snort on my normal WAN connection there are way not so much alters. I am using it in connectivity mode anyway.

    Is there any solution for this?

    Cheers

    You are seeing some rather well known false positives.  The HTTP_INSPECT is notorious for giving false positives.  There is a Suppress List thread here in the Packages sub-forum that lists most of the common false positive rules that folks either disable or create suppress entries for.  Do a search for "master suppress list", and it should pop up.

    Bill



  • The problem that I have is :

    I have snort enabled on WAN and on VPNWAN.

    I call website x on WAN and get let's say 4 snort messages for this website.

    Then I call the same website on VPNWAN and I get like 30 snort alerts for the same website.

    This is why I think somethings wrong with "snorting" a VPN WAN interface.

    Hope this is more understandable now.

    Cheers.



  • You may get additional preprocessor or decoder alerts due to the packet structure.  Just add suppress list entries for those.

    Bill


Log in to reply