User avatar
XueHai8
Posts: 64
Joined: Mon Jul 24, 2017 12:19 pm

RPI VPN, PiHole, CloudFlare DoH and now Snort?

Sat Sep 28, 2019 1:11 pm

So, I have a Pi3B+ running OpenVPN Client, PiHole, and CloudFlare DoH as it is my network gateway, and everything seems to be working fine
So, of course, I want to muck it up.
I want to add Snort as the IDS/IPS to further secure my network.
I understand Snort eats lots of RAM, so I would probably need to upgrade to a Pi4B w/4GB - which I have bought.
So my requests for comments are:
1) Is Snort the best choice for the Pi running Raspbian?
2) Will it interface after OpenVPN Client so it will see the unencrypted data (like PiHole does)?
3) Is a Pi4B w/4GB recommended, or will the 3B+ w/1GB be enough?

Thanks!

User avatar
XueHai8
Posts: 64
Joined: Mon Jul 24, 2017 12:19 pm

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Mon Sep 30, 2019 9:18 am

I am proceeding as intended using a Pi4B w/4GB Ram and rebuilding my current VPN, PiHole, Cloudfare server on it.
While a PITA, I'm trying to document every step so I can go back and do it again - should I ever need to (gads)
Now installing Snort, but not finding any real documentation on setting it up on Raspbian/Linux/Debian/etc.
Oh boy...

User avatar
XueHai8
Posts: 64
Joined: Mon Jul 24, 2017 12:19 pm

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Mon Sep 30, 2019 11:56 pm

Here's an update, if anyone cares.
the Snort package in Raspbian Buster is 10 YEARS OLD. Snort.org doesn't support it, there are no rule sets to download. So it's basically worthless. The only alternative is to down the source and compile it on the Pi.
But...
Then it finally hit me, this won't work in my setup. Snort monitors the interface, I have a VPN client. So all the traffic is encrypted. Snort will never be able to analyze it. The alternative is to put a separate Snort server down-stream from the VPN client and IDS/IPS the traffic there. But a better alternative is to put Snort on the VPN server - to detect and prevent intrusions Before they get into the local network.
However...
That's not possible - at least not near-term: my VPN servers are remote and I have no way to upgrade them at the moment - let alone replace them with PI4B to handle the extra memory/cpu power required.
Which....
Leads to a nasty revelation (that I should have caught before): Having a VPN service (your own, or a paid subscription), just punches a hole in your firewall and leaves you completely vulnerable to whatever your VPN Service has (or has not) for IDS/IPS/firewall/etc.
So...
Learned a lot. Current plans are to clean up my docs, rebuild my VPN Client, SSL tunnel, Pi-Hole, CloudFlared DoH Pi. Then work on building and deploying new RPi 4B VPN Servers with custom complied Snort at the front-end.
Cheers

soccer_fan
Posts: 1
Joined: Thu Mar 26, 2020 9:05 am

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Thu Mar 26, 2020 9:07 am

I know this is slightly old but cheers for posting your detailed thought process. I'm examining the same idea and this has saved me tons of time by pointing out the key things to think about. :)

IanS
Posts: 246
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Thu Mar 26, 2020 11:09 am

For anybody else finding this old thread, there is an lighter weight alternative to Snort called Bro. See https://www.tripwire.com/state-of-secur ... pberry-pi/ for an example of how it might be set up with other security tools.

logcabin
Posts: 21
Joined: Sat Jul 20, 2019 1:18 am

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Thu Mar 26, 2020 7:42 pm

XueHai8 wrote:
Mon Sep 30, 2019 11:56 pm
Here's an update, if anyone cares.
the Snort package in Raspbian Buster is 10 YEARS OLD. Snort.org doesn't support it, there are no rule sets to download. So it's basically worthless. The only alternative is to down the source and compile it on the Pi.
But...
Then it finally hit me, this won't work in my setup. Snort monitors the interface, I have a VPN client. So all the traffic is encrypted. Snort will never be able to analyze it. The alternative is to put a separate Snort server down-stream from the VPN client and IDS/IPS the traffic there. But a better alternative is to put Snort on the VPN server - to detect and prevent intrusions Before they get into the local network.
However...
That's not possible - at least not near-term: my VPN servers are remote and I have no way to upgrade them at the moment - let alone replace them with PI4B to handle the extra memory/cpu power required.
Which....
Leads to a nasty revelation (that I should have caught before): Having a VPN service (your own, or a paid subscription), just punches a hole in your firewall and leaves you completely vulnerable to whatever your VPN Service has (or has not) for IDS/IPS/firewall/etc.
So...
Learned a lot. Current plans are to clean up my docs, rebuild my VPN Client, SSL tunnel, Pi-Hole, CloudFlared DoH Pi. Then work on building and deploying new RPi 4B VPN Servers with custom complied Snort at the front-end.
Cheers
My setup, FWIW:

Pi 3B running firewall with Suricata IPS

Pi 4B behind firewall with VPN client and SOCKS server

sora03
Posts: 250
Joined: Mon Dec 29, 2014 4:11 pm
Location: Philippines
Contact: Website YouTube

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Fri Mar 27, 2020 11:25 am

logcabin wrote:
Thu Mar 26, 2020 7:42 pm
XueHai8 wrote:
Mon Sep 30, 2019 11:56 pm
Here's an update, if anyone cares.
the Snort package in Raspbian Buster is 10 YEARS OLD. Snort.org doesn't support it, there are no rule sets to download. So it's basically worthless. The only alternative is to down the source and compile it on the Pi.
But...
Then it finally hit me, this won't work in my setup. Snort monitors the interface, I have a VPN client. So all the traffic is encrypted. Snort will never be able to analyze it. The alternative is to put a separate Snort server down-stream from the VPN client and IDS/IPS the traffic there. But a better alternative is to put Snort on the VPN server - to detect and prevent intrusions Before they get into the local network.
However...
That's not possible - at least not near-term: my VPN servers are remote and I have no way to upgrade them at the moment - let alone replace them with PI4B to handle the extra memory/cpu power required.
Which....
Leads to a nasty revelation (that I should have caught before): Having a VPN service (your own, or a paid subscription), just punches a hole in your firewall and leaves you completely vulnerable to whatever your VPN Service has (or has not) for IDS/IPS/firewall/etc.
So...
Learned a lot. Current plans are to clean up my docs, rebuild my VPN Client, SSL tunnel, Pi-Hole, CloudFlared DoH Pi. Then work on building and deploying new RPi 4B VPN Servers with custom complied Snort at the front-end.
Cheers
My setup, FWIW:

Pi 3B running firewall with Suricata IPS

Pi 4B behind firewall with VPN client and SOCKS server
do you have documentation on how did you set up suricata on the Pi? All I find is how to set it up for pfSense
Mastodon: https://mastodon.social/@ssora

logcabin
Posts: 21
Joined: Sat Jul 20, 2019 1:18 am

Re: RPI VPN, PiHole, CloudFlare DoH and now Snort?

Fri Mar 27, 2020 11:44 am

sora03 wrote:
Fri Mar 27, 2020 11:25 am
logcabin wrote:
Thu Mar 26, 2020 7:42 pm
XueHai8 wrote:
Mon Sep 30, 2019 11:56 pm
Here's an update, if anyone cares.
the Snort package in Raspbian Buster is 10 YEARS OLD. Snort.org doesn't support it, there are no rule sets to download. So it's basically worthless. The only alternative is to down the source and compile it on the Pi.
But...
Then it finally hit me, this won't work in my setup. Snort monitors the interface, I have a VPN client. So all the traffic is encrypted. Snort will never be able to analyze it. The alternative is to put a separate Snort server down-stream from the VPN client and IDS/IPS the traffic there. But a better alternative is to put Snort on the VPN server - to detect and prevent intrusions Before they get into the local network.
However...
That's not possible - at least not near-term: my VPN servers are remote and I have no way to upgrade them at the moment - let alone replace them with PI4B to handle the extra memory/cpu power required.
Which....
Leads to a nasty revelation (that I should have caught before): Having a VPN service (your own, or a paid subscription), just punches a hole in your firewall and leaves you completely vulnerable to whatever your VPN Service has (or has not) for IDS/IPS/firewall/etc.
So...
Learned a lot. Current plans are to clean up my docs, rebuild my VPN Client, SSL tunnel, Pi-Hole, CloudFlared DoH Pi. Then work on building and deploying new RPi 4B VPN Servers with custom complied Snort at the front-end.
Cheers
My setup, FWIW:

Pi 3B running firewall with Suricata IPS

Pi 4B behind firewall with VPN client and SOCKS server
do you have documentation on how did you set up suricata on the Pi? All I find is how to set it up for pfSense
Here's a link from the Suricata site:

https://redmine.openinfosecfoundation.o ... asic_Setup

My Pi 3B is running the IPFire firewall, which includes Suricata. So far, it has been running well.

Return to “Advanced users”