• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata didn't detect any alert when attackers intrude my inside network

Scheduled Pinned Locked Moved IDS/IPS
11 Posts 4 Posters 3.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G Offline
    gowhadsteen
    last edited by Nov 25, 2017, 4:07 AM

    Hi, I'm student and really new about pfsense. I got a project to make bridge router with IPS inside and use ip public behind the router. and here's the topology.

    Internet == pfSense+suricata == switch == IP Public
                                                                == IP Public

    I already followed the instuction to make bridge mode. And here's my problems.

    1. If I used inline mode in Suricata, it only detected intrusion without blocking anything when I attacked to the pfsense directly. but it didn't detect anything when I attacked to ip public behind the pfsense.

    2. If I used legacy mode in Suricata. It could block and detect intrusion if I attacked to the pfsense directly. However, it also didn't detect anything when I attacked to the ip public behind the pfsense.

    Did I do something wrong here? or Is it not supported with this scenario?
    pf.jpg
    pf.jpg_thumb

    1 Reply Last reply Reply Quote 0
    • S Offline
      strangegopher
      last edited by Nov 25, 2017, 7:43 AM

      I wonder why inline mode don't block anything. My guess is all rules are alert only by default and alerts only get blocked in legacy mode.

      1 Reply Last reply Reply Quote 0
      • K Offline
        kejianshi
        last edited by Nov 25, 2017, 8:02 AM

        I know a way to make all rules drop, but its a bit of a nuclear option.  Very simple though.  Let me know if you still want to do that.

        1 Reply Last reply Reply Quote 0
        • G Offline
          gowhadsteen
          last edited by Nov 25, 2017, 9:36 AM

          for rules, I used emerging-scan and emerging-dos, I already setup it in SID Management to make all rules drop. for penetration, I use nmap to do port scanning. Suricata detected intrusion whenever I scanned directly to pfsense's ip, but It didn't work when I scan ip public client.

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by Nov 25, 2017, 9:48 AM

            Suricata works on interfaces you define.  If the traffic never touches that interface suricata never sees it.

            1 Reply Last reply Reply Quote 0
            • G Offline
              gowhadsteen
              last edited by Nov 26, 2017, 6:06 AM

              @kejianshi:

              Suricata works on interfaces you define.  If the traffic never touches that interface suricata never sees it.

              So it means, it won't work with my scenario. technically it should work, right ? because, the ethernet is passed by bad packet which penetrate to ip public client behind the pfsense. Why didn't it read that traffic?

              1 Reply Last reply Reply Quote 0
              • K Offline
                kejianshi
                last edited by Nov 26, 2017, 6:37 AM

                If the traffic passed an interface with suricata running on it and the traffic matched a rule it should at least fire off an alert.

                1 Reply Last reply Reply Quote 0
                • G Offline
                  gowhadsteen
                  last edited by Nov 26, 2017, 11:04 AM

                  Hi guys, finally I found solution for my issues. at first, I tried to figure it out what the 'HOME_NET' is.

                  then I found what it is and how to enter my ip public clients to 'HOME_NET' list. Now penetration to my ip public clients has been detected by suricata itself.

                  btw, thank you for your help guys!  :D :D :D

                  1 Reply Last reply Reply Quote 0
                  • B Offline
                    bmeeks
                    last edited by Nov 26, 2017, 1:29 PM

                    @gowhadsteen:

                    Hi guys, finally I found solution for my issues. at first, I tried to figure it out what the 'HOME_NET' is.

                    then I found what it is and how to enter my ip public clients to 'HOME_NET' list. Now penetration to my ip public clients has been detected by suricata itself.

                    btw, thank you for your help guys!  :D :D :D

                    Properly populating the HOME_NET and EXTERNAL_NET variables is key to getting any IDS/IPS to work correctly.  Nearly all the rules use those two variables (HOME_NET or EXTERNAL_NET) as the source or destination, so if the IP values encoded in those variables is not correct rules won't fire.  The default install assumes HOME_NET is all the locally attached networks (meaning the network blocks defined in each firewall interface with the exception of the WAN).  EXTERNAL_NET is then automatically defined as everything not in HOME_NET.  This works for most all users, but if you are attempting a more complicated configuration, then manually tweaking the HOME_NET and/or EXTERNAL_NET definitions may be required.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by Nov 26, 2017, 3:03 PM

                      I looked into that, of course, but it was very automatic.  Anything I'd have wanted to add was already there.

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        gowhadsteen
                        last edited by Nov 28, 2017, 3:45 AM

                        @kejianshi:

                        I looked into that, of course, but it was very automatic.  Anything I'd have wanted to add was already there.

                        Yeah, it was… Since I turned NAT off and made into IP Public, I should put that IP in HOME_NET list.

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received