I have not worked with SNORT much or done too much research on this but it sounds possible.
If I setup a server and run snort on it. Would it then be possible to route ALL my traffic through it like a firewall to my websites? Would this allow me to have a central point to filter out all bad traffic?
As for as forwarding goes, should I use GRE tunneling or is there a better way? I would like to try and keep the client's IP if at all possible.
So I could run maybe HA Proxy/nGinx as a way to forward the website traffic off and keep the client IP in the packet and not end up with every client as the proxy server's IP.
Best Answer
One installation method for Snort is called in-line mode. In this configuration your snort sensor will be a choke point for your traffic, much like a traditional router or firewall. All packets will be received on the outside interface, passed through the snort application, and then forwarded onto the inside interface. If done correctly it will be transparent to the traffic and will be nothing more than a bridge. It also requires no modifications to the servers you are attempting to protect. All traffic will flow through the sensor because it cannot go anywhere else.
From here you can decide whether to run snort in IDS or IDP mode. IDS is less scary to implement, in that alerts will be fired and bad traffic will be logged, but packets will still be passed. IDP mode will analyze the packets, and if configured so will drop the packet if it triggers an alert.
In any case you must be careful with which rules you configure, and that your sensor is properly sized. If, for example, if the snortd process is overloaded and can't process a packet it won't make it out the other side. It is quite trivial for snort to hit 100% cpu usage, or memory.