Why is there enabling WAN and LAN interfaces on SNORT?



  • Hi,

    I am new to computer networking. I would like to setup SNORT for my small office. I was wondering what is the difference between enabling SNORT on WAN and LAN and why are there two options for us to choose?

    Thanks for your help in advance.



    1. If you have multiple questions related to the same package, you might as well ask them all in the same thread.
    2. RTFM
    3. Ask Google?

    To not appear as a total douche:

    Standard disclaimer applies: Snort or any IDS/IPS is not a turn key solution (Unless you buy it as a complete service, I suppose..). You need to know what you are doing and be prepared to tweak things as you go. You will see a lot of false positives if you do not pay attention to what you're doing.

    Like with most things on pfSense, you can select which interface you want to operate on. For a simple 1 WAN 1 LAN configuration, I would run Snort on LAN to catch the internal IP addresses of possible offenders and to not catch unintended traffic on WAN as Snort puts the interface into promiscuous mode (Google what this actually means!).



  • Here is my suggestion if you are inexperienced with using an IDS/IPS (intrusion detection/prevention system).

    1.  Go to https://www.snort.org/products and purchase a Snort VRT rules license.  For home use the cost is $29.99/year.  It's $399.99/year for a business license.

    2.  Follow the Snort Setup Guide listed as a sticky thread at the top of this Packages forum.  Make one change in the instructions – "use the LAN instead of the WAN" as fragged recommended.

    3.  Visit this old thread to get a list of the common false positive alerts that will block traffic when it probably shouldn't be blocked.  Most of these have to do with the fact Snort requires very strict adherence to the web server RFCs, but many web servers themselves don't follow all the RFCs to the letter.  Add the entries shown in the thread to a Suppress List and assign that Suppress List to the LAN interface.

    Snort Master Suppress List thread:  https://forum.pfsense.org/index.php?topic=56267.msg300473#msg300473

    This will get you 90% of the way there.  For more details or advice, post back in this forum and several of the more experienced users will gladly provide help and advice.

    Bill



  • Thanks guys for your reply.

    So enabling LAN on snort is able to catch the internal IP addresses of possible offenders and not to catch unintended traffic on WAN right?

    I read from another forum, that enabling WAN on snort able to catch malicious network activities coming in from external network while LAN is able to catch the internal IP addresses of possible offenders and malicious network activities coming in from external network.

    Since enabling LAN on snort have more functionality than enabling WAN on snort, why do pfSense allow users to choose to enable snort on LAN or WAN or both instead of just enabling and setting LAN on snort?



  • why do pfSense allow users to choose to enable snort on LAN or WAN or both instead of just enabling and setting LAN on snort?

    Because choice is good?  Because you may want to filter traffic on all of your interfaces?  Snort on WAN can stop malicious but legal traffic from entering your network such as attacks on your web server.  Snort on LAN can stop malicious traffic from zombies on your LAN leaving your network.



  • @enivre1717:

    Thanks guys for your reply.

    So enabling LAN on snort is able to catch the internal IP addresses of possible offenders and not to catch unintended traffic on WAN right?

    I read from another forum, that enabling WAN on snort able to catch malicious network activities coming in from external network while LAN is able to catch the internal IP addresses of possible offenders and malicious network activities coming in from external network.

    Since enabling LAN on snort have more functionality than enabling WAN on snort, why do pfSense allow users to choose to enable snort on LAN or WAN or both instead of just enabling and setting LAN on snort?

    It depends on what you are protecting and how much trouble you want to go through to find offending hosts in your local network.  For instance, a typical setup these days uses NAT for LAN hosts talking to the Internet.  If you run Snort on the WAN interface, it will only see traffic from your LAN hosts after it has been through the NAT engine.  This means that when one of your LAN hosts is the "source" or "destination" of traffic to/from the Internet, Snort will always see only your WAN IP address and never the actual LAN host's IP address.  So if you had a malware-infected internal host communicating out to a BOT C&C server, you could not tell which LAN host it was since all the Snort alerts would show only the WAN IP of your firewall and the IP of the Internet far-end host.  On the other hand, if you run Snort on the LAN side, then it sees local host traffic before it enters the NAT engine.  This means the Snort alerts would show the real IP address of the LAN host and the IP address of the Internet host.  It is then much easier to find the LAN host that may be infected.

    Should you not use NAT, then even on the WAN side Snort would see the actual internal host IP address.  One scenario where having Snort on the WAN can be useful is when you have public-facing hosts such as web or mail servers that you want to protect.

    Bill



  • @bmeeks:

    One scenario where having Snort on the WAN can be useful is when you have public-facing hosts such as web or mail servers that you want to protect.

    Unless those public-facing servers are running on pfSense itself, Snort on LAN will see the traffic.

    Running Snort on WAN is only needed if trying to prevent bad traffic on firewall itself, for example it will help protecting SSHd or VPN external ports.



  • @dgcom:

    @bmeeks:

    One scenario where having Snort on the WAN can be useful is when you have public-facing hosts such as web or mail servers that you want to protect.

    Unless those public-facing servers are running on pfSense itself, Snort on LAN will see the traffic.

    Running Snort on WAN is only needed if trying to prevent bad traffic on firewall itself, for example it will help protecting SSHd or VPN external ports.

    True…I was grasping for an example.  Your examples are better and did not pop into my head at the time.

    Bill



  • Unless those public-facing servers are running on pfSense itself, Snort on LAN will see the traffic.

    I thought that Snort only looked at traffic coming into the interface, so Snort on LAN would see flagged traffic from a bad client after it's already been compromised.  I saw it as more useful for ad hoc clients like external people coming in for meetings with notebooks and needing guest LAN access or such.



  • The direction of the traffic does not really matter in this case. Snort sees all packets, sent or received.



  • Thanks guys for your replies. Just to clarify so pfSense allow users to have two interfaces (LAN and WAN ) on SNORT so users are able to choose whether to set SNORT on LAN/ WAN or both depending on where does pfSense is install (public facing servers or not?) and how do the user want to protect their network ?