Suricata didn't detect any alert when attackers intrude my inside network
-
Hi, I'm student and really new about pfsense. I got a project to make bridge router with IPS inside and use ip public behind the router. and here's the topology.
Internet == pfSense+suricata == switch == IP Public
== IP PublicI already followed the instuction to make bridge mode. And here's my problems.
1. If I used inline mode in Suricata, it only detected intrusion without blocking anything when I attacked to the pfsense directly. but it didn't detect anything when I attacked to ip public behind the pfsense.
2. If I used legacy mode in Suricata. It could block and detect intrusion if I attacked to the pfsense directly. However, it also didn't detect anything when I attacked to the ip public behind the pfsense.
Did I do something wrong here? or Is it not supported with this scenario?
-
I wonder why inline mode don't block anything. My guess is all rules are alert only by default and alerts only get blocked in legacy mode.
-
I know a way to make all rules drop, but its a bit of a nuclear option. Very simple though. Let me know if you still want to do that.
-
for rules, I used emerging-scan and emerging-dos, I already setup it in SID Management to make all rules drop. for penetration, I use nmap to do port scanning. Suricata detected intrusion whenever I scanned directly to pfsense's ip, but It didn't work when I scan ip public client.
-
Suricata works on interfaces you define. If the traffic never touches that interface suricata never sees it.
-
Suricata works on interfaces you define. If the traffic never touches that interface suricata never sees it.
So it means, it won't work with my scenario. technically it should work, right ? because, the ethernet is passed by bad packet which penetrate to ip public client behind the pfsense. Why didn't it read that traffic?
-
If the traffic passed an interface with suricata running on it and the traffic matched a rule it should at least fire off an alert.
-
Hi guys, finally I found solution for my issues. at first, I tried to figure it out what the 'HOME_NET' is.
then I found what it is and how to enter my ip public clients to 'HOME_NET' list. Now penetration to my ip public clients has been detected by suricata itself.
btw, thank you for your help guys! :D :D :D
-
Hi guys, finally I found solution for my issues. at first, I tried to figure it out what the 'HOME_NET' is.
then I found what it is and how to enter my ip public clients to 'HOME_NET' list. Now penetration to my ip public clients has been detected by suricata itself.
btw, thank you for your help guys! :D :D :D
Properly populating the HOME_NET and EXTERNAL_NET variables is key to getting any IDS/IPS to work correctly. Nearly all the rules use those two variables (HOME_NET or EXTERNAL_NET) as the source or destination, so if the IP values encoded in those variables is not correct rules won't fire. The default install assumes HOME_NET is all the locally attached networks (meaning the network blocks defined in each firewall interface with the exception of the WAN). EXTERNAL_NET is then automatically defined as everything not in HOME_NET. This works for most all users, but if you are attempting a more complicated configuration, then manually tweaking the HOME_NET and/or EXTERNAL_NET definitions may be required.
Bill
-
I looked into that, of course, but it was very automatic. Anything I'd have wanted to add was already there.
-
I looked into that, of course, but it was very automatic. Anything I'd have wanted to add was already there.
Yeah, it was… Since I turned NAT off and made into IP Public, I should put that IP in HOME_NET list.