Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New SG-3100 User - Suricata Results scaring me

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scaredoutofmymind
      last edited by

      I handle the IT for our small office (14 people) and have been using a Meraki MX60 for the past 4 years or so.  Have been reading into pfSense and was intrigued enough to get one and test one out.

      Got my SG-3100 this morning, got it configured with an extra static IP address on our primary/backup WAN, and tested out the failover.  All good there.

      Installed Suricata, and updated the rules for Emerging Threats Open Rules and Snort Subscriber Rules.  In the 25 minutes since I activated Suricata the Alerts tab has taken off.  I've attached a screenshot of the log (which had picked up new entries int the time it's taken me to register and post).

      Is this normal?  The security center in Meraki's site (Advanced Malware Protection enabled, and Intrusion detection and prevention set at the highest level) has never shown anything like this.

      I know I have tons of reading to do before putting the pfSense into my production environment, but I wasn't expecting this sort of activity.

      Thanks for any advice.
      suricata.png
      suricata.png_thumb

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        It's learning your network habits…if the source and destination looks good, just click on the red X. Also, suggest to not enable blocking yet...give it three months or more of learning.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by

          I'm guessing your running it on the WAN interface, if you are these would be blocked by the firewall anyhow.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • S
            scaredoutofmymind
            last edited by

            Thanks for your replies.

            Correct I am running on the WAN interface.  I have no ports open on the firewall apart from the Default LAN to Any.  So in the absence of Suricata, all of those incoming entries would be blocked anyways and Suricata takes it a step further with the logging/ability to add the host to a block table?

            We don't run any publicly facing services from our office, so should I just switch it to scan the LAN, as the firewall is getting the incoming things anyways?

            1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad
              last edited by

              I'd run it on your LAN interface, you see the host IP addresses then.

              I'd also run a cut down version of the rules on the WAN if you are interested it what hits your WAN.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                +1 on what other respondents have said.  Running an IDS/IPS on the WAN is generally going to log a bunch of noise, and if you have no public-facing services and block all unsolicited inbound traffic, then you don't gain any security by running an IDS/IPS on the WAN.

                Better in most situations to run the IDS/IPS on the LAN.  Even then, you will want to let it run in non-blocking mode for a while to get a feel for any false positives that show up on your network.  There are generally quite a few centered around HTTP_INSPECT rules in Snort.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.