Snort home_net and external_net for DMZ



  • Good evening everyone,

    So I am running the pfsense appliance inside of our LAN network to virtualize network segments for my ESXi cluster. For this reason I don't use NAT, the WAN interface of the pfsense appliance uses an L3 switch on it's own VLAN as it's gateway to the LAN.

    On the pfsense appliance I've got 4-5 interfaces set up for a dmz, dev network, IT network, pfsync, etc. In the DMZ I've got a reverse proxy that is exposed to the public internet which reverse proxies webpage applications which we want to be accessible from the internet.

    The reverse proxy forwards http requests to our internal application, I want to put snort between the DMZ and the internal application, so I've enabled snort on the DMZ interface but I am having a lot of trouble configuring the home_net and external_net, or maybe I am just not understanding it properly. Snort is enabled on both the WAN interface since that is receiving the packets from our edge firewall which is forwarding public internet http to the reverse proxy in the DMZ, and then I want to make sure snort is also watching packets from the reverse proxy into the LAN.

    I've created a trusted subnets alias which includes the subnets that pfsense is not aware of for use on the LAN snort interface, but I can't add those extra subnets to the default external_net as !192.168.0.0/16, the default only has the subnets that reside within the pfsense appliance. And then for the DMZ snort interface I don't want to have the DMZ subnet on the pass list because that defeats the whole purpose, I want the traffic from the DMZ to the LAN inspected. I've tried unchecking all of the auto generated rules that get added to a passlist and every subnet the pfsense appliance hosts it adds no matter what I do.

    For instance the DMZ subnet is 10.10.50.0/24 and no matter what I do that subnet is always on the pass list, I don't want it passed, I want it inspected because the reverse proxy is running on that subnet.



  • The Snort package is designed with some defaults to make things easier for most situations.  One of those defaults is the automatic inclusion of all firewall interface networks (other than the WAN) into HOME_NET and the default PASS LIST.  Your situation is different and the defaults sound like they are not what you want.

    You can fix this by creating custom Pass Lists on the PASS LIST tab.  When creating them, uncheck all the "default checked" options and then only check the ones you want (or none of them).  Use an Alias to contain all the addresses you want in the list.

    For example, assume you want to create a custom HOME_NET on the DMZ interface.  First, create an Alias under Firewall > Aliases to hold all the addresses you want in the custom HOME_NET.  Remember an alias can contain other aliases (nested aliases), so you should be able to construct a single alias containing all the IP addresses you want.  Next, create a custom pass list and call it maybe MY_HOME_NET or whatever.  In the Pass List dialog uncheck all the default-checked options (unless there are some you want).  Now select the alias you created earlier in the ADDRESS box at the bottom of the screen.  Just start typing the name and it should auto-populate with matching values.  Save the custom Pass List.

    Now go to the Snort interface (DMZ) where you want to use the custom HOME_NET.  Select the INTERFACE SETTINGS tab.  Scroll down to the HOME_NET drop-down selector.  Select the custom HOME_NET Pass List you created above.  Save the change and then restart Snort on the interface.  It will now be using that HOME_NET.  You can repeat the process for custom Pass List and even a custom EXTERNAL_NET if you want.

    Bill


Log in to reply