Suricata widget only giving alerts on WAN. No LAN alerts
-
How to change that and give the widget more than 20 alerts??
On a busy system its hard to follow the amount of alerts going through...
-
@cool_corona said in Suricata widget only giving alerts on WAN. No LAN alerts:
How to change that and give the widget more than 20 alerts??
On a busy system its hard to follow the amount of alerts going through...
The widget displays the most recent alerts from all of the alert logs. So a really busy WAN may well overwhelm a not-so-busy LAN when you run instances on both. The limit of 20 is just because of the limited space on the dashboard. I wanted the widget to play nice with all the other widgets.
But as I've said many times, there is seldom a reason for users to put an instance on their WAN. The LAN is a much better place in almost all cases. The only time I would consider an instance on the WAN is if I had internal servers exposed to the web, but even then I would create a DMZ and put the IDS instance on the DMZ and not the WAN. The WAN is always going to show a lot of useless noise because the IDS sits out in front of the firewall. Thus it will see and alert on junk the firewall is going to likely block anyway.
-
@bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:
The LAN is a much better place in almost all cases
I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0=WAN vs mvneta1=LAN on this SG-2100).
-
@teamits said in Suricata widget only giving alerts on WAN. No LAN alerts:
@bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:
The LAN is a much better place in almost all cases
I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0 vs mvneta1 on this SG-2100).
Yeah, that's probably something I should think about changing. That was the way it worked years ago when I inherited maintenance of the Snort package and I never changed it. That default also got copied over to Suricata when I created that package.