I need opinion if I really need Suricata



  • I am currently using Pfsense 2.4.2 release P1 for geolocation unblocking on openvpn. I use Ubiquiti Ap and switch on Vlan for smart tv. It's a simple home network with no other servers. Roku and Apple tv are connected to Expressvpn for geolocation unblocking. I am connected on symetrical 100 fiber.

    My current Pfsense box consist of a Kabylake G4600 dual core with hyperthreading cpu with AES-Ni, 8 gig of ddr4 ram, Intel i350 T4 nic, 2 ssd on ZFS mirror.

    I use DNS resolver, Pfblocker, CRON. No traffic shaping.

    I am pretty happy with my current setup.

    Question is Do I really need Suricata?

    Is my current Pfsense capable of  running Suricata?

    If I decide to install Suricata should I use the WAN and Lan interface, Openvpn?

    Legacy mode or Inline?



  • Your hardware is capable of running Suricata or Snort for a home network application.

    Whether you need it or not is really up to you.  One of the things to consider is what type of risk is your network exposed to via the VPN.  What I mean by that is if you simply access mainline streaming services like Roku and AppleTV and avoid other more "wild and wooly" sites, then you don't need an IDS/IPS package.  If you have guests with laptops, or other household members that might visit more risky sites (such as torrent hosting sites, some gamer sites, etc.), then an IDS/IPS like Suricata or Snort can help protect users from themselves by blocking some known exploits.

    Just be aware that it is NOT as simple as just installing the Suricata or Snort package and turning on blocking.  Doing it that way will most certainly result in lots of spurious blocks from false positives.  You have to understand the rules and enable only the ones that are appropriate for your network usage.  There are examples of good setups in the threads of this IDS/IPS sub-forum.  Just search through using the search tool on the forum.

    Bill