Suricata/Snort on a mirrored port
-
PFSense newbie…and first post so be gentle!
Not quite sure what I'm trying to do is possible - but here goes.
I'm very happy with my current Unifi setup at home - but just missing an IDS. Just want to use the Suricata or Snort features in PFSense and that's it. Attached (rather basic) pic shows my setup. As you can see, the WAN int is in port 8 of my switch which is mirroring port 1. Port 1 is the uplink to the USG
WAN interface is enabled and started in Suricata. ET & Snort community rules are enabled and I am getting some alerts into Suricata - but just a handful of the same ones. Deliberately triggering various rules results in no alerts at all.
Anything else I need to be considering here?
thanks!
-
Hi,
why dont you connect your Pfsense box inline in bridge mode. Pfsense's WAN to USG's port 1 and LAN to the switch's port. Create a bridge interface with WAN+LAN included and start the IPS on it. All passing traffic would have been monitored this way and no mirroring needed. I use the same topology, if you need help leave a comment.
This is a good starting point: https://doc.pfsense.org/index.php/Interface_Bridges
-
Thanks mind12..
Have updated the pic as attached. Is this the topology you suggest?
-
Yes that's it, except you give IP address to the Bridge interface for management.
-
PFSense newbie…and first post so be gentle!
WAN interface is enabled and started in Suricata. ET & Snort community rules are enabled and I am getting some alerts into Suricata - but just a handful of the same ones. Deliberately triggering various rules results in no alerts at all.
Anything else I need to be considering here?
thanks!
Be aware that you will have to properly set up HOME_NET and EXTERNAL_NET in order for many rules to trigger. HOME_NET and EXTERNAL_NET are variable names that hold IP addresses or networks that are to be protected (HOME_NET) or that are considered hostile (EXTERNAL_NET). When you use pfSense as your only router and traffic comes through it to go from WAN to LAN and vice-versa, then the default setups for Suricata or Snort will work. When you do something like using a bridge, you will likely need to manually define HOME_NET using an Alias.
Rules for an IDS are written assuming certain directions of flow for the traffic. That's where HOME_NET and EXTERNAL_NET come into play. They hold the actual IP addreses or netblocks that should be tested as "source" and "destination" targets when traffic is evaluated against the rule. If the actual IP addresses of the traffic do not match up with what the HOME_NET and EXTERNAL_NET variables contain, then rules may not trigger as you think they should.
Bill
-
Should we create HOME_NET and EXTERNAL_NET under Firewall - Alias or is there another place to defining aliases just for Suricata please ? I was looking for this :)
-
@Georget27:
Should we create HOME_NET and EXTERNAL_NET under Firewall - Alias or is there another place to defining aliases just for Suricata please ? I was looking for this :)
You will create an alias under Firewall - Alias, and then assign the alias to a Pass List you can generate on the PASS LIST tab. Uncheck all the default-checked options for the Pass List and then choose your HOME_NET alias down at the bottom. You can name the Pass List whatever you wish, but suggest including "HomeNet" in the name.
Now go to the INTERFACE SETTINGS tab for the interface and in the section for defining HOME_NET select the recently created Alias from the drop-down and then save.
Bill