New SG-3100 User - Suricata Results scaring me



  • I handle the IT for our small office (14 people) and have been using a Meraki MX60 for the past 4 years or so.  Have been reading into pfSense and was intrigued enough to get one and test one out.

    Got my SG-3100 this morning, got it configured with an extra static IP address on our primary/backup WAN, and tested out the failover.  All good there.

    Installed Suricata, and updated the rules for Emerging Threats Open Rules and Snort Subscriber Rules.  In the 25 minutes since I activated Suricata the Alerts tab has taken off.  I've attached a screenshot of the log (which had picked up new entries int the time it's taken me to register and post).

    Is this normal?  The security center in Meraki's site (Advanced Malware Protection enabled, and Intrusion detection and prevention set at the highest level) has never shown anything like this.

    I know I have tons of reading to do before putting the pfSense into my production environment, but I wasn't expecting this sort of activity.

    Thanks for any advice.



  • It's learning your network habits…if the source and destination looks good, just click on the red X. Also, suggest to not enable blocking yet...give it three months or more of learning.


  • Galactic Empire

    I'm guessing your running it on the WAN interface, if you are these would be blocked by the firewall anyhow.



  • Thanks for your replies.

    Correct I am running on the WAN interface.  I have no ports open on the firewall apart from the Default LAN to Any.  So in the absence of Suricata, all of those incoming entries would be blocked anyways and Suricata takes it a step further with the logging/ability to add the host to a block table?

    We don't run any publicly facing services from our office, so should I just switch it to scan the LAN, as the firewall is getting the incoming things anyways?


  • Galactic Empire

    I'd run it on your LAN interface, you see the host IP addresses then.

    I'd also run a cut down version of the rules on the WAN if you are interested it what hits your WAN.



  • +1 on what other respondents have said.  Running an IDS/IPS on the WAN is generally going to log a bunch of noise, and if you have no public-facing services and block all unsolicited inbound traffic, then you don't gain any security by running an IDS/IPS on the WAN.

    Better in most situations to run the IDS/IPS on the LAN.  Even then, you will want to let it run in non-blocking mode for a while to get a feel for any false positives that show up on your network.  There are generally quite a few centered around HTTP_INSPECT rules in Snort.

    Bill