@code4food23 said in Puzzled about the number of Suricata instances needed for LAN and VLANs due to device showing up on both alert logs:
Also sorry for the dumb question, but the IPs help see which device made the traffic to trigger the alert right?
Hello,
Forgive me (pls.) for butting into the conversation here, but Bill is absolutely right that the management of IDS/IPS systems is a challenge for many well trained administrators too.
To run them in your home, I don't think it's absolutely necessary....
pfSense basically drops all unwanted traffic on the WAN interface +++++ if you use a well configured pfBlockerNG you are safe, this can be said.
The Suricata, Snort can cause a lot of headaches, if you are not skilled enough to handle them, I would start with a VM install and practice before deploying it on my system.
You can also get away with a lot of the abuse your family sends you when the internet isn't working in your home. 😉
(and it can limit a lot of other things in the background if it's set up wrong, which you haven't even discovered yet, FTP, SFTP, Torrent, P2P other, streams, etc.)
BTW:
The physical interface is the "igb_" interface (Intel PHY) that physically connect to the port (RJ45) on your pfSense box, those IDS/IPS systems listen to the traffic on the physical interface, so if you create virtual things (VLAN) on that interface, their traffic will pass through it, but as written the VLAN handling is not really functional at the moment (because of the tags)
++++edit:
Don't get me wrong, I'm not trying to dissuade you and welcome to the team, but at least run it in alert mode first to avoid a lot of unwanted problems.