Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SNORT Inexperience

    IDS/IPS
    2
    5
    973
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coxhaus last edited by

      I ran snort for a week or 2.  I don't have much experience with snort but a problem I had was snort logs did not always show the source IP address.  I run a layer 3 switch behind pfsense.  All my LAN traffic is routed traffic. I only have 2 LAN IP addresses for pfsense.  It seemed like I was getting the same IP address for a lot of my LAN traffic.  Is the new snort going to work better for me?

      I run this at home so it is not critical.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Running Snort on the LAN side is a good strategy for a home network, but realize that on the LAN the only traffic the firewall should see is traffic that is outbound to the WAN or inbound from the WAN going to some host on the LAN.  The firewall does not typically see host-to-host traffic on the LAN.

        So with that said, running on the LAN interface, you would expect Snort to trigger on malicious inbound or outbound traffic (meaning coming to a local host through the WAN interface on the firewall, or leaving a local LAN host going out to the Internet through the WAN on the firewall).  I don't really understand what you mean by "…seemed like I was getting the same IP address for a lot of my LAN traffic".  What specific alert or alerts were you seeing?  Was the IP address one of your LAN hosts?

        Bill

        1 Reply Last reply Reply Quote 0
        • C
          coxhaus last edited by

          Pfsense only sees traffic destined for the internet.  All local traffic is handled by my layer 3 switch.  What I remember is the pfsense gateway IP address for the layer 3 switch is shown in the logs not the real IP address assigned by my layer 3 switch to all the clients.  So I see a lot of the same IP addresses in the logs being the gateway IP address.  Then I have to interpret what the real IP is. My layer 3 switch is my DHCP server.  I no longer have SNORT installed so I can't look now.  When is SNORT 3.0 going to be released?  I want to wait until after pfsense 2.3 which I plan to upgrade to in a couple of weeks.

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @coxhaus:

            Pfsense only sees traffic destined for the internet.  All local traffic is handled by my layer 3 switch.  What I remember is the pfsense gateway IP address for the layer 3 switch is shown in the logs not the real IP address assigned by my layer 3 switch to all the clients.  So I see a lot of the same IP addresses in the logs being the gateway IP address.  Then I have to interpret what the real IP is. My layer 3 switch is my DHCP server.  I no longer have SNORT installed so I can't look now.  When is SNORT 3.0 going to be released?  I want to wait until after pfsense 2.3 which I plan to upgrade to in a couple of weeks.

            Sounds like in your setup your switch is doing NAT, so it will only show a single IP address to pfSense and Snort.  Remove the Layer 3 switch if you want to see the true IP addresses.

            As for Snort 3.0, it won't come to pfSense until it is production code and is in the FreeBSD ports tree.  Neither of those triggers have yet happened (at least they had not the last time I checked).

            Bill

            1 Reply Last reply Reply Quote 0
            • C
              coxhaus last edited by

              Thanks Bill.  No NAT in the switch.  I will take another look after my 2.3 upgrade.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy