Snort / Suricata for inbound traffic only



  • In the past, my network was simple and mainly for outbound use only (no services needed to be reached from the outside).

    Now, however, I have the need to host a small web server on my network.

    I was thinking of adding snort or suricata to my pfSense to more actively analyze the traffic coming into that web server. However, I really just want to use it for incoming traffic to that one specific server, and not change/analyze any of my other outbound traffic.

    Is that possible?



  • Yes, providing you put that web server on a subnet and interface (or VLAN) by itself.  You would then run Suricata or Snort on that interface (or VLAN) only.  That would really be best practice anyway – putting your Interfacing web server in a DMZ.  Run the IDS only on the DMZ interface.

    Bill



  • Good idea, and that is what I did - kind of.

    Unfortunately (for now) the server also needs to be on the LAN network. But I was able to install a 2nd NIC on the server and use an unused NIC on the pfSense box to make a DMZ of sorts. I make a new NAT rule that goes to the new DMZ server IP address. I then added the 'DMZ' interface to suricata.

    Yes, the web server is now dual-homed, but I thought that would still be better than allowing external traffic to my main LAN.

    Thoughts on dual-homing the server versus just letting the outside talk to the server's LAN IP?

    Jason



  • Well…dual-homed means if any bad guy finds a way into the web server, then he has immediate free access to you LAN.  With a true DMZ, firewall rules protect the LAN from the DMZ.

    Oh, and in my original reply up above I badly misspelled "Internet-facing web server".  I put "Interfacing web server" instead... :-[.

    Bill



  • Yeah, I realize if the dual-homed web server is compromised then the LAN is still compromised as well.

    I was just thinking out loud whether making it dual homed like that with a dedicated 'outside' interface really buys me anything. And I still think it does in terms of making it a lot easier to monitor the traffic, even if it doesn't add much additional security.

    The other thing it allows me to do is to keep my suricata rules very tight, as there is limited traffic of a specific type going through that one interface.

    Again, not as good as a real DMZ, but will have to do for now until I rebuild a few things.


Log in to reply