Snort: log: VLAN message on LAN?
-
G'evening :P
Just did a completely fresh re-install of 2.1.5/64, no config backup restores, the hard work (2 days).
I notice this: on Snort alerts, LAN tab (192.168.2x), I see messages from my VLAN40 (192.168.4.x).
Have no clue why ???
(Yes, I triple-checked that I am on LAN :) )
What would the powers that is (Hi Bill ;D ) say?
(Running the lastest Snort at this very time).
-
Snort puts monitored interfaces into Promiscuous Mode, so if this VLAN is on your physical LAN interface, then its traffic will show up.
Suricata has an option to disable Promiscuous Mode, but currently Snort does not.
Bill
-
Snort puts monitored interfaces into Promiscuous Mode, so if this VLAN is on your physical LAN interface, then its traffic will show up.
Suricata has an option to disable Promiscuous Mode, but currently Snort does not.
Bill
Thank you Bill :D
Well, the weird thing is: I only see this now for the first time in using pfSense for 2 years, right after I completely reinstalled the machine and all it's packages 'from the ground up' (so no cfgbackup restoring, but customizing everything by hand). The only second difference I can think of is: the old box was still on the previous Snort, as I had reinstalled the only package version of Snort I could install was the latest, so perhaps this is something 'new' in the latest Snort?
I've been wanting to try Suricata, but it turns out it doesn't work with pppoe (I have my VDSL-router/modem in modem only, where pfSense does the dial up), so I can't use Suricata on my WAN (my WAN2 is cable but I think you wrote somewhere it is not smart to run Snort and Suricata at the same time. That writing of you came after I already discovered that some 6 months ago, when I had them running at the same time (albeit only 1 actively monitoring, the other only being installed) and my box was crashing randomly ;D ).
-
@Mr.:
Snort puts monitored interfaces into Promiscuous Mode, so if this VLAN is on your physical LAN interface, then its traffic will show up.
Suricata has an option to disable Promiscuous Mode, but currently Snort does not.
Bill
Thank you Bill :D
Well, the weird thing is: I only see this now for the first time in using pfSense for 2 years, right after I completely reinstalled the machine and all it's packages 'from the ground up' (so no cfgbackup restoring, but customizing everything by hand). The only second difference I can think of is: the old box was still on the previous Snort, as I had reinstalled the only package version of Snort I could install was the latest, so perhaps this is something 'new' in the latest Snort?
I've been wanting to try Suricata, but it turns out it doesn't work with pppoe (I have my VDSL-router/modem in modem only, where pfSense does the dial up), so I can't use Suricata on my WAN (my WAN2 is cable but I think you wrote somewhere it is not smart to run Snort and Suricata at the same time. That writing of you came after I already discovered that some 6 months ago, when I had them running at the same time (albeit only 1 actively monitoring, the other only being installed) and my box was crashing randomly ;D ).
No, the Promiscuous Mode feature has been in Snort since the beginning. It is something the underlying binary controls and not the GUI package. Since you say you have done a complete fresh install from the ground up, are you absolutely positive that all the pfSense settings are exactly the same as before? Was perhaps your VLAN formerly associated with a different interface?
Bill
-
No, the Promiscuous Mode feature has been in Snort since the beginning. It is something the underlying binary controls and not the GUI package. Since you say you have done a complete fresh install from the ground up, are you absolutely positive that all the pfSense settings are exactly the same as before? Was perhaps your VLAN formerly associated with a different interface?
Bill
Thank you Bill ;D
No, it is completely 100% the same. I meticulously created screenshots of all settings, and setup everything again, fresh, by hand according to these screenshots :-[
