Greetings again,
I wrote an earlier post yesterday but did not say what I wanted to say properly. I have been reading a bunch of articles related to Snort rules and how to configure it properly on a system. I read that Snort should be used on a LAN interface rather than the WAN. A post on Netgate stated by default WAN drops most connections by default. And by enabling it on LAN, I would have a better vision of which private IPs were doing what (before NAT). So, should I enable the LAN interface for scanning and blocking? Currently, I have WAN with the blocking feature, and I used LAN to see what was going on internally.
My final question is if I use an IPS policy such as “Security or Connectivity,” would I be able to add OpenApp ID rules alongside Snort subscriber rules? I like OpenApp for traffic identification, which makes everything easier to understand. Hypothetically, how do I decipher which rules would apply to my network if I use the LAN interface for blocking? An example would be if I have Windows PC and there is a rule for Windows devices, I should enable it?
Hopefully, this made more sense, and I sometimes confuse myself! Thanks again for your time reading my post.
-Ben