Reposted: Snort question (pfsense)

Greetings again,

I wrote an earlier post yesterday but did not say what I wanted to say properly. I have been reading a bunch of articles related to Snort rules and how to configure it properly on a system. I read that Snort should be used on a LAN interface rather than the WAN. A post on Netgate stated by default WAN drops most connections by default. And by enabling it on LAN, I would have a better vision of which private IPs were doing what (before NAT). So, should I enable the LAN interface for scanning and blocking? Currently, I have WAN with the blocking feature, and I used LAN to see what was going on internally.

My final question is if I use an IPS policy such as “Security or Connectivity,” would I be able to add OpenApp ID rules alongside Snort subscriber rules? I like OpenApp for traffic identification, which makes everything easier to understand. Hypothetically, how do I decipher which rules would apply to my network if I use the LAN interface for blocking? An example would be if I have Windows PC and there is a rule for Windows devices, I should enable it?

Hopefully, this made more sense, and I sometimes confuse myself! Thanks again for your time reading my post.


Using it LAN makes tuning easier as there will be less noise. Turn on rules until too many things annoy you and start turning them off.

I have a video about rule tuning here

1 Like

Awesome, thank you very much!