Cant enable Suricata on all interfaces



  • I'm hoping this is an easy question.

    I'm running a Netgate SG-3100 with several VLAN networks. I'm only using the WAN and OPT1 connections to a separate 802.1Q switch; the OPT1 interfaces is broken out into several VLAN networks. I've setup Suricata to run on each of the VLAN interfaces (OPT3, OPT4, etc.) However, it won't let me start Suricata on all the interfaces, because the firewall only has 2G of memory. :(

    Do I need to enable each and every VLAN for Suricata, or can I somehow get it to listen on all VLANs?



  • @msf2000
    In your somewhat special case, I suggest running Suricata on your WAN connection. The drawback to that is that all the local hosts in any alerts will show up with the WAN public IP address instead of their actual VLAN addresses. This is because Suricata will see the traffic before the NAT is "undone". It will be more difficult to identify which local host is generating an alert.

    As you have seen, the SG-3100 does not have enough RAM to run lots of Suricata interfaces. Another option might be to run a very limited rule set on each interface, but still I doubt that you will be able to bring all of them up at the same time.



  • That is so ridiculous. Snort listens on a physical interface, irrespective of VLANs. Why can't Suricata?



  • @msf2000 said in Cant enable Suricata on all interfaces:

    That is so ridiculous. Snort listens on a physical interface, irrespective of VLANs. Why can't Suricata?

    So run Snort instead of Suricata if it works better for your situation. The two are fundamentally the same thing.



  • Thought i would post for my own reference and anyone else with this problem.... Rebooting the firewall results in Suricata listening on all interfaces with 1 instance (startup). So, the problem fixed itself.


Log in to reply