[solved] Suricata - double check



  • Hi there,

    I use Suricata 4.1.6_1 with multiple interfaces.

    I use legacy mode and have the problem that the packages are checked twice.

    For example, I send a packet from the interface "Lan" -> over the interface "WAN" to the Internet. Blocks "Lan" and I release it, it is then blocked again in the "WAN".
    I'm almost sure there was a way to turn that off. However, I no longer find it.

    Does somebody has any idea?

    EDIT: I'm looking for just one solution, from home network to internet. If it is possible at all.



  • Remove Suricata from your WAN interface. There is no need to run it there on a home network with NAT. In fact, it can actually interfere with you determining which internal host is responsible for a specific alert you may find later and need to track down.



  • @bmeeks said in Suricata - double check:

    Remove Suricata from your WAN interface. There is no need to run it there on a home network with NAT. In fact, it can actually interfere with you determining which internal host is responsible for a specific alert you may find later and need to track down.

    I tried, but it doesn't seem to be the best solution.
    If I deactivate Suricata on WAN, the hits that are recognized on WAN are not recognized on the other interfaces.

    I keep testing and let me know when I have something.



  • @deleted said in Suricata - double check:

    If I deactivate Suricata on WAN, the hits that are recognized on WAN are not recognized on the other interfaces.

    I keep testing and let me know when I have something.

    Most likely because that was traffic the default WAN firewall rules are blocking anyway. Having the IDS/IPS analyze and alert on traffic the firewall is going to drop anyway is a waste of valuable CPU resources. Remember what I've said here about a thousand times over the years. When you install Snort or Suricata, the traffic inspection happens before the firewall rules for all inbound traffic on an interface. That's why it is not generally useful to run the IDS/IPS on the WAN.



  • Okay I understand.

    Most of it is blocked by firewall and the rest by the respective interface.

    Can this lead to security problems? When I think about it in an amateurish way, the IDS only checks further "in the back" of the system.
    I address my security problems for the firewall itself.



  • @deleted said in Suricata - double check:

    Okay I understand.

    Most of it is blocked by firewall and the rest by the respective interface.

    Can this lead to security problems? When I think about it in an amateurish way, the IDS only checks further "in the back" of the system.
    I address my security problems for the firewall itself.

    A firewall itself is pretty secure. At least it is if you don't add a ton of third-party software to it. That's why a lot of us old pros on here give folks grief when they submit new posts asking how they can add this third-party package and that third-party package to their pfSense system such as Midnight Commander or PBX software or Samba, etc. Each added package brings in more shared libraries that might contain security issues.

    So if you run a pretty clean firewall, then you are fairly secure in terms of vulnerabilities within the firewall itself. And you're not really running the IDS/IPS to protect the firewall. Instead, the IDS/IPS is protecting the hosts behind the firewall because that's where you have the wild west of software installed with things like Flash, Windows, Java and such.


Log in to reply