SNORT Inexperience



  • I ran snort for a week or 2.  I don't have much experience with snort but a problem I had was snort logs did not always show the source IP address.  I run a layer 3 switch behind pfsense.  All my LAN traffic is routed traffic. I only have 2 LAN IP addresses for pfsense.  It seemed like I was getting the same IP address for a lot of my LAN traffic.  Is the new snort going to work better for me?

    I run this at home so it is not critical.



  • Running Snort on the LAN side is a good strategy for a home network, but realize that on the LAN the only traffic the firewall should see is traffic that is outbound to the WAN or inbound from the WAN going to some host on the LAN.  The firewall does not typically see host-to-host traffic on the LAN.

    So with that said, running on the LAN interface, you would expect Snort to trigger on malicious inbound or outbound traffic (meaning coming to a local host through the WAN interface on the firewall, or leaving a local LAN host going out to the Internet through the WAN on the firewall).  I don't really understand what you mean by "…seemed like I was getting the same IP address for a lot of my LAN traffic".  What specific alert or alerts were you seeing?  Was the IP address one of your LAN hosts?

    Bill



  • Pfsense only sees traffic destined for the internet.  All local traffic is handled by my layer 3 switch.  What I remember is the pfsense gateway IP address for the layer 3 switch is shown in the logs not the real IP address assigned by my layer 3 switch to all the clients.  So I see a lot of the same IP addresses in the logs being the gateway IP address.  Then I have to interpret what the real IP is. My layer 3 switch is my DHCP server.  I no longer have SNORT installed so I can't look now.  When is SNORT 3.0 going to be released?  I want to wait until after pfsense 2.3 which I plan to upgrade to in a couple of weeks.



  • @coxhaus:

    Pfsense only sees traffic destined for the internet.  All local traffic is handled by my layer 3 switch.  What I remember is the pfsense gateway IP address for the layer 3 switch is shown in the logs not the real IP address assigned by my layer 3 switch to all the clients.  So I see a lot of the same IP addresses in the logs being the gateway IP address.  Then I have to interpret what the real IP is. My layer 3 switch is my DHCP server.  I no longer have SNORT installed so I can't look now.  When is SNORT 3.0 going to be released?  I want to wait until after pfsense 2.3 which I plan to upgrade to in a couple of weeks.

    Sounds like in your setup your switch is doing NAT, so it will only show a single IP address to pfSense and Snort.  Remove the Layer 3 switch if you want to see the true IP addresses.

    As for Snort 3.0, it won't come to pfSense until it is production code and is in the FreeBSD ports tree.  Neither of those triggers have yet happened (at least they had not the last time I checked).

    Bill



  • Thanks Bill.  No NAT in the switch.  I will take another look after my 2.3 upgrade.