4. Provide VPN interface for Snort to inspect

Provide VPN interface for Snort to inspect

  • Y

    Thanks for the wonderful guide at the top of the sub forum. It helped me get started with Snort and was extremely helpful.

    Once question I can't seem to find an answer for is how to provide an interface, which represents the OpenVPN server on my pfSense box, for Snort to inspect.

    While I can see the WAN and LAN alerts, and often match the WAN alerts to a corresponding host on my LAN, for OpenVPN clients connecting through pfSense I only see the alerts generated on the WAN interface as the address pool being used for OpenVPN isn't part of the LAN address  pool or DHCP server, but rather provided by the OpenVPN server itself.

    0
  • Y

    Thanks to a hint from a kind user on the IRC channel it was as simple as creating an interface (on the Interfaces menu), with the available port provided by the OpenVPN Server service, and assigning it the same IP address the OpenVPN Server has had self-assigned from the address pool listed in the settings.

    Subsequently the interface became available to add/inspect by snort and it was as simple as duplicating my LAN ruleset for it.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy