Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Understanding Suricata on VPN Client Gateways?

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 759 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfBasic Banned
      last edited by

      I have one standard WAN gateway, and also two OpenVPN Client Gateways. I have suricata monitoring traffic on all three gateways.

      On the WAN I get by far the most hits, even though almost all of my network traffic is directed through the VPN gateways.

      On the VPN gateways I do still get hits, and hits that I can correlate to things that are happening on my network, but I get far fewer hits than on the WAN. This confuses me since most of my traffic is going through the VPN Gateways.

      My first thought was that since they are VPN's, not even my suricata can see them. I had originally thought that since suricata was part of the system it would be able to see the packets before they were encrypted. But, if I look at my http logs on the VPN interfaces, I can see all of the http traffic on the VPN gateways, which implies that suricata can in fact see the packets before they are encrypted.

      So why am I generating so few hits on the VPN Gateways? They actually have more rules enabled than WAN.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.