pfSense for Suricata only
-
Hi Everyone, I'm new to both Suricata and pfSense and am looking to setup Suricata for IDS only. I have an existing Cisco ASA firewall so I do not need pfSense for any routing or firewall functions. Because Suricata does not come with a front-end GUI by default I wanted to use pfSense for management of Suricata only.
My question is regarding the LAN setup of pfSense. I have given pfSense an ip on an existing VLAN in my network and also inputted the default gateway for the VLAN which is managed by the ASA. I am able to connect to the management interface however I noticed that it appears pfSense created a gateway which was not my intention. For example if the gateway for the VLAN on the asa is 10.1.200.1 , when I entered this gateway onto the pfSense, it appears to have also created a gateway with the exact IP. The only reason I wanted a gateway assigned to this interface is so I can access the GUI.
If i turn the gateway feature off then I can no longer access the GUI but my fear is leaving it on means that both pfSense and the ASA are broadcasting the 10.1.200.1 gateway. Wondering if anyone has any insight on this setup.
Thanks,
Hardy -
@hsid Actually, you don't need pfSense to run Suricata as Windows, MacOS, Linux, etc, all do ... https://suricata-ids.org/features/all-features/
You could make pfSense your primary firewall and make that Cisco secondary since it doesn't fulfill all your needs. -
@nollipfsense Thanks so much for your response. I actually did have the Linux version setup on Ubuntu and it was actually quite easy to setup however I was looking for something just a bit more user friendly. Tuning the rules will take awhile however my main focus is to ensure the logs get output to the right place and I can setup email alerts for suspected threats. I am looking for this system to function as an IDS only.
If there are any guides or docs that you can recommend that would help me pull some of this data and put it into a logging server that would be great. Also do you have any experience using the Windows version?
Cheers,
Hardy -
@hsid I am a Mac person so that tells you about me and Windows. I was like you in that I had a firewall set up already (Mikrotik) before discovering pfSense. I quickly gravitated to pfSense because of IDS/IPS and the ease in its implementation. Then discovered pfBlockerNG.
So, what I did was to implement both systems with pfSense my edge router and Mikrotik my LAN king. I use pfSense for IDS/IPS as well as DNS while the Mikrotik does DHCP. My system is the modem > pfSense > Mikrotik > switch > clients ... even double natted, no problem. Also, I even run both IDS/IPS with Suricata on WAN as well as Snort on LAN no problem but with different rules set for each. This is not recommended by the package maintainer or the developers as a disclaimer. It works for me very well though.
I think putting you pfSense box to the edge would complement your network nicely and give you the features you want. Just a little warning, it takes a little while to understand the IDS/IPS rules in order to mitigate the false positive. It's not a setup and leave ... it's a constant tuning.
-
That may not be a bad idea either, putting it on the edge and acting as a IDS only. I'll think about that one but in the meantime I think i'll move forward with standalone Suricata IDS for linux.
Thanks again!
-
@hsid said in pfSense for Suricata only:
with standalone Suricata IDS
Read this : https://forum.netgate.com/topic/163732/anti-virus-anti-malware-without-proxy/3?_=1620969717433
-
Can you share your setup for the Modem - Pfense - Switch - Clients.
In my setup, i have the pfsense currently just for testing pfblockerng and Suricata.
Mikrotik has the DNS and DHCP, this can stay has is. Without double nat.
Switch has the vlans setup has a router on a stick to the Mikrotik.
