Is it possible? All of the documentation I’m running into is the typical setup where a spanner/mirror port or tap is used to send all network traffic to a NIC on a box that then also has a NIC on the LAN/internet access.
Since I’m already using a pfSense router, have snort and firewall logs going to an indexer, I wanted to see if I could install BRO on my internet facing server, and send logs to said indexer. This would mean the server’s one NIC would be in promiscuous mode, taking in legit traffic but also being monitored by BRO, then also being used for LAN traffic. Is this possible?
I don’t see why it wouldn’t work, you may run in to bandwidth limitations if you’re sharing a mirror port but otherwise it should work. There are probably some security concerns there though, make sure you have a firewall on that interface just to be sure that anything which isn’t lan traffic is getting blocked.
Been racking my brain on how to avoid ‘punching’ a hole in my DMZ firewall so the splunk forwarder can forward to it’s server on the LAN. Was googling various bridging, span and VLAN stuff of pfSense and way out of my zone.
Then I realized in my tunnel vision of wanting my ESXi box to do all the things, and not wanting to get anymore hardware, I have a pi3 in a corner without a purpose for months now. So I guess a good ole’ conventional pfSense span port setup and BRO Pi per tutorial on the LAN- more data than I needed but no need to change firewall settings. Was looking at this tutorial-