• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort/Suricata cannot detect alert

IDS/IPS
4
5
654
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    ezvink
    last edited by Jul 29, 2022, 1:13 PM

    I have a network topology like this:

    login-to-view

    I installed Snort/Suricata on pfsense, Snort/Suricata will secure the LAN network (intrnet1) with the added rules, namely NMAP, ICMP, DDOS etc.

    what I want to ask, the Snort/Suricata that I installed can't detect attacks from Attacker(Intrnet2).
    can Snort/Suricata only detect IPs registered in pfsense 192.168.15.1 (intrnet1)? I have also assigned the DHCP Server to the IP 192.168.15.1 and the host from the webserver got the IP 192.168.15.5 package installed on the webserver, namely apache.

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Jul 29, 2022, 1:42 PM

      It will detect traffic to/from all clients in the Intrnet1 subnet not just the pfSense interface IP.

      Are you seeing any alerts at all? How have you configured Snort/Suricata?

      Steve

      E 1 Reply Last reply Jul 29, 2022, 2:07 PM Reply Quote 0
      • E
        ezvink @stephenw10
        last edited by Jul 29, 2022, 2:07 PM

        @stephenw10
        apparently it was detected sir, but when I tried to hack the alert it appeared for a long time the information from the Suricata alert log appeared at 5:39 PM Asia/Jakarta while I did the hack at 11:30 AM Asia/Jakarta.

        What do you think is the reason for that, sir? does the specification of the PC I use have an effect?

        J 1 Reply Last reply Jul 29, 2022, 2:12 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @ezvink
          last edited by Jul 29, 2022, 2:12 PM

          @ezvink system running on X that logs what it sees is going to log per what time it thinks it is.. Doesn't matter if that is correct or not..

          Did you validate time is correct on pfsense?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          N 1 Reply Last reply Jul 29, 2022, 2:18 PM Reply Quote 1
          • N
            NogBadTheBad @johnpoz
            last edited by NogBadTheBad Jul 29, 2022, 2:20 PM Jul 29, 2022, 2:18 PM

            Run the following from the pfSense command line:-

            logger -h 172.16.2.10 -P 514 TEST

            172.16.2.10 < syslog server

            514 < syslog server port

            Do the times match ?

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.