Suricata setup



  • Hi all -
    I am new to pfSense and Suricata, I need some help in configuring it propely.
    Basically, for now, I want to utilize pfSense "only" for Suricata IDS, and not for any other features that I can utilize.

    Can I use it with packet sniffing only (not for routing purposes at all), if yes, how?



  • You can turn off the firewall features of pfSense, but you can't really stop the routing.

    If all you want to do with Suricata is sniff traffic, then just set up the binary package only and configure it. There are packages for most of the Linux distros, for Windows and of course FreeBSD. They won't have a GUI for configuration, but otherwise the underlying binary is the same in them all.

    To do this you will need a smart managed switch that offers port mirroring (or what some vendors call a "span port") so that you can copy packets from every other port on the switch over to the mirrored port so Suricata can see them. You would also need this same setup if you run Suricata on pfSense and don't use the routing function. Otherwise Suricata would see no traffic.



  • This post is deleted!


  • Thank you so much for your input.

    Just to be clear.
    I can utilize pfSense for Suricata only. And having the routing capability off.

    I use Cisco managed switches, so port mirroring is not a problem.

    Do I set up everything on a single interface? Or I will need to utilize the WAN and LAN interfaces?

    The reason I want to use pfSense and not only Suricata is because I do have plans on using pfSense for much more than just an IDS



  • @sr10977 said in Suricata setup:

    Thank you so much for your input.

    Just to be clear.
    I can utilize pfSense for Suricata only. And having the routing capability off.

    I use Cisco managed switches, so port mirroring is not a problem.

    Do I set up everything on a single interface? Or I will need to utilize the WAN and LAN interfaces?

    The reason I want to use pfSense and not only Suricata is because I do have plans on using pfSense for much more than just an IDS

    You would put Suricata on only a single pfSense interface. I suggest using the LAN. You can then connect the LAN port of pfSense to your Cisco mirrored (span) port. You will want to leave Suricata in plain IDS mode (no blocking). That is the default anyway. When Suricata starts, it will put the interface in promiscuous mode.



  • And depending on your network traffic, you might need a pretty beefy Cisco switch. This would be the case if you wanted to monitor a lot of busy ports on the switch. Mirroring can be resource intensive. Also consider that you might have only a 1 Gigabit/sec port speed to pfSense on that mirrored port if using copper. It's obvious that you could not then "mirror" say 3 to 5 Gigabits/sec of data down that single 1 Gigabit/sec pipe.

    I mention the above to alert you that depending on your port mirroring setup, Suricata may not see some packets if they wind up getting dropped due to pipeline loading.



  • Thank you so much!
    It is up, but for some reason I am only getting 1 single traffic type:
    ICMP src: switch dest:224.0.0.1.....

    Will have to figure this one out, I believe it is on the switch side, not sending the traffic


Log in to reply