Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata on Backup PFSense give me alerts

    IDS/IPS
    suricata ha carp alerts
    4
    7
    618
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      farazb59
      last edited by

      Hi , i have two vm's PFSense on esx , and config HA that works fine (also config sync suricata on Master)but suricata on both master and backup pfsense gives me alerts , is this right ? what should I do to receive alerts on Master pfsense only?
      Thank you

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @farazb59
        last edited by

        @farazb59 If you’re running it on WAN it runs outside the firewall so is likely bots scanning your IPs.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        F 1 Reply Last reply Reply Quote 1
        • F
          farazb59 @SteveITS
          last edited by

          @SteveITS Thanks for answer but no it's between Server Farm and DMZ its inside traffic.

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @farazb59
            last edited by

            @farazb59 what alerts are triggering? As mentioned previously it’s running outside of pfsense so there are packets going to the secondary

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            F 1 Reply Last reply Reply Quote 0
            • F
              farazb59 @michmoor
              last edited by

              @michmoor Trrafic is from server farm to dmz with local ip address the alerts is "Suricata stream closewait fin out of window" between many server's in server farm and lan side interface dmz server . i have a two interfaces in dmz server's for lan and wan side

              src 172.16.1.4:1433. dst 172.16.12.14: random port

              Thank you

              S 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by bmeeks

                Suricata puts the interface it is running on in promiscuous mode so that it sees all traffic on the segment, not just traffic destined for that particular NIC (note this generalization ignores filtering any upstream Ethernet switch might be doing at Layer 2).

                Suricata also sits outside the firewall engine. The packet flow for inbound traffic is from the NIC to Suricata and then to the firewall engine. Outboud traffic is just opposite: from the firewall engine to Suricata and then the NIC.

                If you want to receive alerts only from the master, then you will need to turn off Suricata on the secondary. Then upon failover you would need to manually start Suricata.

                The NIC in the secondary is sitting there receiving traffic and forwarding it to the kernel. The kernel just does not act upon it if the firewall is in standby secondary mode. But Suricata will see the traffic as it comes off the NIC, thus it will log what it sees. It is totally ignorant of "primary" versus "secondary". It's just a dumb packet sniffer seeing traffic, so it analyzes and logs it.

                1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Rebel Alliance @farazb59
                  last edited by

                  @farazb59 The “stream” events ruleset seems to generate a lot of false positives. Consider just turning it off, which is what we do.

                  Curious how any traffic goes through the secondary, if it hasn’t become master?

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post