Snort/Suricata and NAT/Port forwarding ports

  • When specifying variables in Snort and Suricata (HTTP_PORTS for instance) and using NAT/Port forwarding does one use the external port that clients are accessing? Or the internal port that the system is running the service on?

    Does this vary depending on if you're running Snort/Suricata on WAN vs LAN interface?

  • It will vary by location (LAN vs WAN) of the IDS sensor.  Snort and Suricata both see packets from the WAN before they hit the packet filter, so no port translation has yet taken place on inbound (from Internet to your firewall) traffic.  When on the LAN, the IDS is seeing stuff after NAT translation to local addresses/ports.

    So think of a series circuit on the WAN side.  You have your NIC, then the IDS, and then the firewall.  So the IDS sees traffic before the firewall does and thus no firewall rules have been evaulated (to say block stuff) and NAT has not yet happened.  This is why the IDS will still alert even for inbound traffic the firewall will later block due to a rule.

    Now to get even more technical, Snort (and Suricata when running in the legacy mode) actually use libpcap to get a copy of the packets coming through the circuit from NIC to packet filter.  The IDS operates on this copy while the actual original packet continues through.  If the IDS decides the traffic is malicious, it inserts the offending IP address into the packet filter (firewall) and then kills any states that may have been established when that original packet went on through while the IDS was evaluating the copy.


Log in to reply