Netgate m1n1wall

Author Topic: Newbie Question Regarding SNORT and Interfaces  (Read 50 times)

0 Members and 1 Guest are viewing this topic.

Offline SMuD

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Newbie Question Regarding SNORT and Interfaces
« on: April 18, 2014, 11:00:39 am »
I'd like to install SNORT on my pfSense firewall to monitor packets that get through our WAN interface. I am not interested in the traffic that reaches our WAN but is not allowed in - I want to monitor what makes it inside, after the firewall has parsed the packet.

Does this mean that I should enable snort on the LAN and OPT interfaces rather than the WAN? Since we want to monitor the traffic that is allowed into our network should I enable SNORT on the WAN at all?

Thanks!

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 1105
  • Karma: +2/-0
    • View Profile
Re: Newbie Question Regarding SNORT and Interfaces
« Reply #1 on: April 18, 2014, 11:10:09 am »
I'd like to install SNORT on my pfSense firewall to monitor packets that get through our WAN interface. I am not interested in the traffic that reaches our WAN but is not allowed in - I want to monitor what makes it inside, after the firewall has parsed the packet.

Does this mean that I should enable snort on the LAN and OPT interfaces rather than the WAN? Since we want to monitor the traffic that is allowed into our network should I enable SNORT on the WAN at all?

Thanks!

Snort puts interfaces it monitors in promiscuous mode, so you are right that it would see and alert on ALL traffic hitting your WAN interface whether the firewall passed the traffic or not.  So putting it on an internal interface is better in my opinion.  This way Snort only inspects what the firewall allowed to pass.  This filters out a bunch of noise.  Another added benefit of having it on the LAN (or other internal interface) is it sees traffic pre-NAT and post-NAT, so you can see the actual internal hosts that may be malware-infected and are attempting to communicate outbound.  Running it only on the WAN means the only local IP you ever see in the logs is the WAN interface IP.  If you don't use NAT, then that is not an issue; but most folks do use NAT and seeing only the WAN IP for all local hosts behind the firewall is not very helpful.

If you run Snort on multiple interfaces, then in the name of memory efficiency and CPU workload, I suggest tailoring the rules for the environment behind Snort.  By that I mean if you don't have mail and web servers on your LAN, then don't run those rule sets on the LAN.  Same idea if you don't have DB servers back there.  You choose the rule sets appropriate for the hosts.  But if you have a monster firewall with a ton of RAM and a beefy CPU, you can certainly load it up with all of the rules on all of the interfaces.

Bill
« Last Edit: April 18, 2014, 11:12:30 am by bmeeks »