Provide VPN interface for Snort to inspect
-
Thanks for the wonderful guide at the top of the sub forum. It helped me get started with Snort and was extremely helpful.
Once question I can't seem to find an answer for is how to provide an interface, which represents the OpenVPN server on my pfSense box, for Snort to inspect.
While I can see the WAN and LAN alerts, and often match the WAN alerts to a corresponding host on my LAN, for OpenVPN clients connecting through pfSense I only see the alerts generated on the WAN interface as the address pool being used for OpenVPN isn't part of the LAN address pool or DHCP server, but rather provided by the OpenVPN server itself.
-
Thanks to a hint from a kind user on the IRC channel it was as simple as creating an interface (on the Interfaces menu), with the available port provided by the OpenVPN Server service, and assigning it the same IP address the OpenVPN Server has had self-assigned from the address pool listed in the settings.
Subsequently the interface became available to add/inspect by snort and it was as simple as duplicating my LAN ruleset for it.