Snort at home - WAN or LAN?



  • So my pfSense box is running and stable, now I want to put Snort on and begin my dive into IDS.

    As a home user using NAT, I think having Snort on the LAN is more what I'd be interested in, so I can identify a system or device that is triggering IPv4 alerts (IPv6 would be visible either way). I'm not running any critical systems accessible from the internet, so the firewall should be blocking anything inbound. If I were to have a forwarded port though, would Snort on the LAN interface still catch anything heading to the internal host from a forwarded port?

    Are there benefits or concerns to running it one way over the other that I should be looking at as a home user?



  • LAN is where you want it with NAT.  Otherwise, all the IP addresses you see in alerts will either be your WAN IP or some far-end Internet host.  You would never see any LAN IP addresses if you run Snort on the WAN interface.  Without the LAN addresses, identifying an infected host on your LAN becomes quite hard.  This is because Snort on the WAN only sees the traffic after NAT rules have been applied.

    Bill



  • In addition to what Bill said, what I do is run Snort on both WAN and LAN interfaces.

    On the LAN interface I have blocking disabled and quite a few rules enabled so I can get some visibility into what is happening on my network.

    On the WAN interface I have blocking enabled and only specific security related rules enabled. All rules that are running on the WAN (in blocking mode) are also running on the LAN (in alert mode).

    This allows me to block security threats, while still seeing what NAT'd local devices are having their traffic blocked, as well as alert on other rules that may not be security threats or that may have higher rates of false positives.



  • @jeffh:

    In addition to what Bill said, what I do is run Snort on both WAN and LAN interfaces.

    On the LAN interface I have blocking disabled and quite a few rules enabled so I can get some visibility into what is happening on my network.

    On the WAN interface I have blocking enabled and only specific security related rules enabled. All rules that are running on the WAN (in blocking mode) are also running on the LAN (in alert mode).

    This allows me to block security threats, while still seeing what NAT'd local devices are having their traffic blocked, as well as alert on other rules that may not be security threats or that may have higher rates of false positives.

    Nothing wrong with doing it this way if you have RAM and CPU to spare.  Most hardware these days is fully capable of using a setup like yours unless the traffic is getting upwards of 1 Gigabit/sec sustained throughput or something.

    Bill



  • @jeffh:

    In addition to what Bill said, what I do is run Snort on both WAN and LAN interfaces.

    On the LAN interface I have blocking disabled and quite a few rules enabled so I can get some visibility into what is happening on my network.

    On the WAN interface I have blocking enabled and only specific security related rules enabled. All rules that are running on the WAN (in blocking mode) are also running on the LAN (in alert mode).

    This allows me to block security threats, while still seeing what NAT'd local devices are having their traffic blocked, as well as alert on other rules that may not be security threats or that may have higher rates of false positives.

    This is the exact same thing that I do and it works great.  It does take a bit more memory and processing power, and a lot more if you're doing barnyard.  I ended up turning the barnyard push notifications off because of this…but with this combination, you get the blocking on the WAN and can then trace it to your internal LAN ip address.


Log in to reply