Routing multiple sites through a single pfSense running Snort/Suricata
Does anyone have experience routing all traffic from multiple sites through a single instance of Snort or Suricata?
We have multiple smaller remote sites that are each linked to our main office with IPSEC tunnels. Currently the remote sites only use the IPSEC tunnels for internal resources at the main office and all of their internet traffic goes through their WAN connection.
Looking at this doc, it looks like we could easily route all of our remote site traffic through the main office https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel
If we were to do so, would the remote site traffic be analyzed by Snort/Suricata running at the main office? If so assuming we were running Snort on both our LAN and WAN interfaces at the main office would that remote site traffic be analyzed on both interfaces?
Yes, if you put Snort or Suricata on the WAN interface of your main office, then the package would see all traffic. However, if you use NAT, the usefulness of the IDS is diminished a bit in that the only IP addresses you would ever see in the alerts will be those for the far-end Internet host and the WAN IP of your main office firewall. It would be difficult in that scenario to track which host on your private LANs might be infected with or the target of malware.
If you instead run the IDS on the LAN interfaces, you would see the IP addresses before they were NAT-mangled. With the site-to-site VPN scenario you linked, I don't if the LAN approach would work.