Reposted: Snort question (pfsense)

Greetings again,

I wrote an earlier post yesterday but did not say what I wanted to say properly. I have been reading a bunch of articles related to Snort rules and how to configure it properly on a system. I read that Snort should be used on a LAN interface rather than the WAN. A post on Netgate stated by default WAN drops most connections by default. And by enabling it on LAN, I would have a better vision of which private IPs were doing what (before NAT). So, should I enable the LAN interface for scanning and blocking? Currently, I have WAN with the blocking feature, and I used LAN to see what was going on internally.

My final question is if I use an IPS policy such as “Security or Connectivity,” would I be able to add OpenApp ID rules alongside Snort subscriber rules? I like OpenApp for traffic identification, which makes everything easier to understand. Hypothetically, how do I decipher which rules would apply to my network if I use the LAN interface for blocking? An example would be if I have Windows PC and there is a rule for Windows devices, I should enable it?

Hopefully, this made more sense, and I sometimes confuse myself! Thanks again for your time reading my post.

-Ben

Using it LAN makes tuning easier as there will be less noise. Turn on rules until too many things annoy you and start turning them off.

I have a video about rule tuning here

1 Like

Awesome, thank you very much!