Traffic graphic shows "ghost traffic" with Suricata enabled and suricata interface with promiscuous mode enabled
-
I just installed the latest version of the Suricata package (4.1.5_2) on the latest version of pfSense stable (2.4.4-RELEASE-p3). After configuring it and starting Suricata, I noticed the WAN traffic graph on my dashboard began showing anywhere between 20 and 60mbps of traffic that wasn't really there.
For troubleshooting purposes, I disabled promiscuous mode on my WAN interface (igb0) and the ghost traffic on the graph disappeared. You can see in this image
I have all hardware offloading disabled in the advanced network settings. Below are my interface settings:
$ ifconfig igb0 igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO> ether a1:35:9a:66:40:25 hwaddr a1:56:9a:66:40:25 inet6 xyzw%igb0 prefixlen 64 scopeid 0x1 inet x.y.z.w netmask 0xfffffe00 broadcast x.y.z.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active
Is this expected behavior or a "bug"?
-
It would be expected behavior when an interface is in promiscuous mode. That means it sees and processes all traffic hitting the interface, not just traffic targeted to the IP of the WAN. That's the point of promiscuous mode with an IDS (to see all the traffic hitting an interface).
There really is no good reason in most firewall setups to run the IDS/IPS on the WAN. Run it instead on the LAN or other internal interfaces. The number one advantage of that in a NAT setup is that then IP addresses in alerts will be the actual local host IP addresses instead of everything local showing up as the WAN IP due to NAT.
-
Thank you, it makes more sense now. So I'm assuming all that extra traffic on WAN was broadcast/multicast?
-
Probably. Could also be other types of traffic depending on whether the WAN is connected to a switch port or a hub port of some type.
-
It's a switch port at the ISP office (active ethernet fiber to the home), but I'm not sure if they are making use of VLANs for each client or not.
-
If this is a home firewall setup, then move your IDS/IPS to the LAN and remove it from the WAN. That will do two good things. First, it will remove the bogus traffic that you initially posted about from the WAN interface graph (of course it will then show up to some degree on the LAN side). Second good thing is that any IP addresses of local hosts shown in alerts will be the actual local IP and not the NAT-produced WAN IP. It is very difficult to isolate which LAN machine might have an infection that is generating alerts when all of your LAN traffic shows up in the IDS/IPS as a host with the firewall's WAN IP address. You can't tell what is what in that case without tracking down MAC addresses.
-
Yes, it's for home. Thanks a lot for the detailed explanation, I am going to switch to LAN interface.