pfBlockerNG and Suricata (IPS) interaction



  • Which takes action first?


  • Moderator

    @newyork10023 said in pfBlockerNG and Suricata (IPS) interaction:

    Which takes action first?

    Snort and Suricata (non-inline mode) will block based on a copy of the packets. So pfBlockerNG and the IDS may show duplicate events if they are configured to block similar things.

    Suricata inline mode will block before the pfSense firewall rules take effect.



  • Is there a way to have pfblocker filter first?

    I'm getting a ton of alerts in Suricata that are not relevant as they would be blocked by pfblocker and its a heap of extra noise I dont want to look at?

    That being said I still want to monitor open connections that have been instigated from the LAN to countries i'm normally blocking via pfsense.



  • Are you running Suricata on the WAN or LAN? Using the LAN will avoid alerting on any traffic that would normally not be passed on the WAN port.



  • @teamits Hi I'm running it on both.

    • My understanding (I could be wrong!)

    Running on the WAN will monitor for attempted intrusion of any kind (not filtered by pfblocker though) and will also monitor for any 'allowed' traffic thats potentially doing bad things.

    Running on the LAN would indicate any bad activity originating from within the network.

    I'm pretty happy with its reporting/alerting so far other than I'm getting so much noise from countries that I've blocked via pfblockerNG that in real terms wouldn't be posing a risk.



  • Suricata on WAN will scan packets before the firewall sees them. On LAN it will see all packets passing by so essentially monitor both directions.



  • OK, I'm thinking that makes sense - so unless there was an attack against the actual firewall - any traffic that did make it through malicious or not would be 'seen' traversing through to the LAN.



  • @timboau-0 said in pfBlockerNG and Suricata (IPS) interaction:

    OK, I'm thinking that makes sense - so unless there was an attack against the actual firewall - any traffic that did make it through malicious or not would be 'seen' traversing through to the LAN.

    Yes, this is correct. The LAN is the best place to put an IDS/IPS 99% of the time. A major reason is so, when using NAT, the IP addresses you see in alerts will be the actual LAN host addresses instead of the NAT IP. When you put the IDS/IPS on the WAN, all internal host traffic shows up under the WAN public IP due to NAT. So finding what internal host generated an alert is very difficult.


Log in to reply