Run Snort on LAN interface only to see all VLAN traffic from VLANs on same iface



  • This doesn't appear to be possible currenlty (unless I'm missing it in the settings)

    Would it be possible to run Snort only the parent physical interface in pfSense (LAN in my case) and have it see the traffic for all the VLANs on that interface?

    I know this is possible with other Snort implementations, just point Snort to an interface in promiscuous mode receiving traffic from a span port that is mirroring a trunk port and then it gets all the traffic it sees, including all the VLAN traffic flowing across that port.

    Is anything like this possible with Snort on pfSense? As it is I have multiple VLANs and would need to configure and run multiple instance of Snort for each pfSense interface (physical or virtual) and each takes up a decent amount of RAM, etc. Would be nice if I could just run one instance on the parent interface.

    Also interested if any of the above differs for Suricata.

    Thanks



  • @jeffh,

    Could you get a solution for this? I have exactly the same problem. Been cracking my head to get it done.
    It's same with Suricata. Need to run it multiple interfaces to get it see all VLAN traffic.

    Thanks



  • Hi.

    http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node25.html

    Snort now supports multiple configurations based on VLAN Id or IP subnet within a single instance of Snort. This will allow administrators to specify multiple snort configuration files and bind each configuration to one or more VLANs or subnets rather than running one Snort for each configuration required. Each unique snort configuration file will create a new configuration instance within snort. VLANs/Subnets not bound to any specific configuration will use the default configuration. Each configuration can have different preprocessor settings and detection rules.

    Note:  Vlan and Subnets can not be used in the same line. Configurations can be applied based on either Vlans or Subnets not both.

    Note:  Even though Vlan Ids 0 and 4095 are reserved, they are included as valid in terms of configuring Snort.

    Regards.


  • Moderator

    Is that already possible with the snort packages in pfSense? We're searching for a quite similar possibility as we have multiple internal project VLANs that belong to different customers so running Snort or Surricata on the WAN interface would interfere with every customer instead of only those, that want IDS active on their subnet. Or is there another possibility to do that based on the differen WAN IP addresses of the customers? If I read the post from javcasta correctly that should be possible?

    Greets


  • Moderator

    Snort adds the Blocked IPs to a pfSense Alias called:  snort2c  aliastable.

    1. You could manually patch  [  [b]/etc/inc/filter.inc  ]  and modify the default (Hidden) firewall rules, to only apply to certain interfaces/ports etc only…
    # Snort package
    block {$log['block']} quick from <snort2c> to any tracker {$increment_tracker($tracker)} label "Block snort2c hosts"
    block {$log['block']} quick from any to <snort2c> tracker {$increment_tracker($tracker)} label "Block snort2c hosts"</snort2c></snort2c>
    
    1. or Comment out these two hidden rules, and manually create the snort2c firewall rules as required…

  • Moderator

    @BBcan177 Thanks for chiming in. I didn't want to hijack the thread ;) but in my case I'm looking forward to more insights of the per VLAN/subnet setting.

    Our use case would be to protect various customer project networks, all separated into different VLANs/subnets that are routed via our Firewall. All those networks get connected via our DC WAN line. But as only two or three customers ask about IDS/IPS usage, we'd like to setup snort (or suricata for that matte) in a way, it listens on WAN but only intercepts/filters/blocks traffic belonging to those customers and leave all other traffic alone. As different customers may have different needs a per customer (-> per public IP/per VLAN) configuration would be needed for that (IMHO), so that's the question I have if such a setup is possible at all.

    Greets