Where to put a snort box for it to protect the entire network

Installing and Using OpenWrt Network and Wireless Configuration
1

I want to use a Raspberry Pi 4 as an Intrusion Protection System running snort3 on it. Can this machine go after the router/firewall and still protect all devices?

Modem === R7800 === Snort RPi4
            |
            |
  Netgear unmanaged switch
     |       |       |
     |       |       |
    PC1     PC2     PC3
2

It's not clear how this request is related to OpenWrt... maybe you can clarify.

Anyway, there are two general ways that this can be done, depending on the desired operation...

  1. You can theoretically observe the traffic, but not intercept/stop the flow if you run port mirroring. I'm not sure if your R7800 can be configured for a proper port-mirror -- you may need a managed switch in order to get this to work. And it won't be able to do this for traffic over wifi.
  2. Pass the traffic through your snort system. Here, if Snort is going to actually try to prevent intrusions (rather than just notify that you have suspected intrusions or other unusual traffic), it could theoretically step in as a traffic cop.

If you are opting for #2, you would need to route traffic through the snort system. To do this, you'd either have to put the snort system in front of your R7800, or you'd have to tell all of the hosts on the network to use the snort host as the gateway (and snort would use the R7800 as its gateway).

2 Likes
3

Hi

the biggest problem with your schematic is that R7800 will be double loaded with traffic
because PC1-3 need to enter R7800,then goto RPI, from there back to R7800 and from there it will go out on WAN
if this traffic is magnitude of 100 mbps, it will be no problem, but higher load ... ?

plus, you will have complicated routing / GW as @psherman explained in point 2