Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort: log: VLAN message on LAN?

    pfSense Packages
    2
    5
    930
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles last edited by

      G'evening  :P

      Just did a completely fresh re-install of 2.1.5/64, no config backup restores, the hard work (2 days).

      I notice this: on Snort alerts, LAN tab (192.168.2x), I see messages from my VLAN40 (192.168.4.x).

      Have no clue why ???

      (Yes, I triple-checked that I am on LAN  :) )

      What would the powers that is (Hi Bill ;D ) say?

      (Running the lastest Snort at this very time).


      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Snort puts monitored interfaces into Promiscuous Mode, so if this VLAN is on your physical LAN interface, then its traffic will show up.

        Suricata has an option to disable Promiscuous Mode, but currently Snort does not.

        Bill

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles last edited by

          @bmeeks:

          Snort puts monitored interfaces into Promiscuous Mode, so if this VLAN is on your physical LAN interface, then its traffic will show up.

          Suricata has an option to disable Promiscuous Mode, but currently Snort does not.

          Bill

          Thank you Bill  :D

          Well, the weird thing is: I only see this now for the first time in using pfSense for 2 years, right after I completely reinstalled the machine and all it's packages 'from the ground up' (so no cfgbackup restoring, but customizing everything by hand). The only second difference I can think of is: the old box was still on the previous Snort, as I had reinstalled the only package version of Snort I could install was the latest, so perhaps this is something 'new' in the latest Snort?

          I've been wanting to try Suricata, but it turns out it doesn't work with pppoe (I have my VDSL-router/modem in modem only, where pfSense does the dial up), so I can't use Suricata on my WAN (my WAN2 is cable but I think you wrote somewhere it is not smart to run Snort and Suricata at the same time. That writing of you came after I already discovered that some 6 months ago, when I had them running at the same time (albeit only 1 actively monitoring, the other only being installed) and my box was crashing randomly  ;D ).

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @Mr.:

            @bmeeks:

            Snort puts monitored interfaces into Promiscuous Mode, so if this VLAN is on your physical LAN interface, then its traffic will show up.

            Suricata has an option to disable Promiscuous Mode, but currently Snort does not.

            Bill

            Thank you Bill  :D

            Well, the weird thing is: I only see this now for the first time in using pfSense for 2 years, right after I completely reinstalled the machine and all it's packages 'from the ground up' (so no cfgbackup restoring, but customizing everything by hand). The only second difference I can think of is: the old box was still on the previous Snort, as I had reinstalled the only package version of Snort I could install was the latest, so perhaps this is something 'new' in the latest Snort?

            I've been wanting to try Suricata, but it turns out it doesn't work with pppoe (I have my VDSL-router/modem in modem only, where pfSense does the dial up), so I can't use Suricata on my WAN (my WAN2 is cable but I think you wrote somewhere it is not smart to run Snort and Suricata at the same time. That writing of you came after I already discovered that some 6 months ago, when I had them running at the same time (albeit only 1 actively monitoring, the other only being installed) and my box was crashing randomly  ;D ).

            No, the Promiscuous Mode feature has been in Snort since the beginning.  It is something the underlying binary controls and not the GUI package.  Since you say you have done a complete fresh install from the ground up, are you absolutely positive that all the pfSense settings are exactly the same as before?  Was perhaps your VLAN formerly associated with a different interface?

            Bill

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles last edited by

              @bmeeks:

              No, the Promiscuous Mode feature has been in Snort since the beginning.  It is something the underlying binary controls and not the GUI package.  Since you say you have done a complete fresh install from the ground up, are you absolutely positive that all the pfSense settings are exactly the same as before?  Was perhaps your VLAN formerly associated with a different interface?

              Bill

              Thank you Bill  ;D

              No, it is completely 100% the same. I meticulously created screenshots of all settings, and setup everything again, fresh, by hand according to these screenshots :-[

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy