Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata alerting on closed ports - Why?

    Firewalling
    3
    4
    591
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikmiddleton
      last edited by

      Hi Guys,

      Just starting with Suricata so forgive me if this is a dumb question.

      I have port forwarding on for a given port on a server with a virtual IP. My understanding is that the firewall will block by default and only allow traffic I specify. So to that end, I'm surprised that suricata is alerting on port 143 as below

      Misc Attack	Source IP(x.x.x.)	63899	to x.x.x.x (one of my virtual IP's)  dest port143 1:2403382      ET CINS Active Threat Intelligence Poor Reputation IP group 83

      Is Suricata simply inspecting traffic before it hits my firewall ? If so I thought the idea was to help suricata out by blocking unwanted traffic or am I missing something?

      regards

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @nikmiddleton
        last edited by

        @nikmiddleton Understand that the NIC and hence Suricata sees traffic before the firewall does.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by

          @NollipfSense is correct. Suricata (or Snort, if you use it) see traffic the instant it leaves the hardware NIC before the firewall engine and its rules see or act on the traffic.

          So, for example, if you have Suricata on the WAN, then inbound packets come off your NIC and hit Suricata for inspection before any firewall rules have been applied. In actual fact, when using Legacy Mode Blocking, Suricata gets copies of packets from the NIC while the original packet is sent on to the firewall engine. For outbound traffic, the opposite is true. Firewall rules and NAT are applied and then Suricata sees the packet as it exits the NIC onto the wire.

          A similar thing occurs on the LAN side. Suricata sees traffic coming from your LAN side into the firewall BEFORE any firewall rules are applied. Conversely, Suricata sees traffic coming from your firewall into the LAN interface AFTER any firewall rules are applied.

          1 Reply Last reply Reply Quote 1
          • N
            nikmiddleton
            last edited by

            That makes sense now

            Thank you,

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.