Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] Suricata - double check

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 843 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deleted
      last edited by deleted

      Hi there,

      I use Suricata 4.1.6_1 with multiple interfaces.

      I use legacy mode and have the problem that the packages are checked twice.

      For example, I send a packet from the interface "Lan" -> over the interface "WAN" to the Internet. Blocks "Lan" and I release it, it is then blocked again in the "WAN".
      I'm almost sure there was a way to turn that off. However, I no longer find it.

      Does somebody has any idea?

      EDIT: I'm looking for just one solution, from home network to internet. If it is possible at all.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Remove Suricata from your WAN interface. There is no need to run it there on a home network with NAT. In fact, it can actually interfere with you determining which internal host is responsible for a specific alert you may find later and need to track down.

        D 1 Reply Last reply Reply Quote 0
        • D
          deleted @bmeeks
          last edited by

          @bmeeks said in Suricata - double check:

          Remove Suricata from your WAN interface. There is no need to run it there on a home network with NAT. In fact, it can actually interfere with you determining which internal host is responsible for a specific alert you may find later and need to track down.

          I tried, but it doesn't seem to be the best solution.
          If I deactivate Suricata on WAN, the hits that are recognized on WAN are not recognized on the other interfaces.

          I keep testing and let me know when I have something.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @deleted
            last edited by bmeeks

            @deleted said in Suricata - double check:

            If I deactivate Suricata on WAN, the hits that are recognized on WAN are not recognized on the other interfaces.

            I keep testing and let me know when I have something.

            Most likely because that was traffic the default WAN firewall rules are blocking anyway. Having the IDS/IPS analyze and alert on traffic the firewall is going to drop anyway is a waste of valuable CPU resources. Remember what I've said here about a thousand times over the years. When you install Snort or Suricata, the traffic inspection happens before the firewall rules for all inbound traffic on an interface. That's why it is not generally useful to run the IDS/IPS on the WAN.

            1 Reply Last reply Reply Quote 0
            • D
              deleted
              last edited by

              Okay I understand.

              Most of it is blocked by firewall and the rest by the respective interface.

              Can this lead to security problems? When I think about it in an amateurish way, the IDS only checks further "in the back" of the system.
              I address my security problems for the firewall itself.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @deleted
                last edited by bmeeks

                @deleted said in Suricata - double check:

                Okay I understand.

                Most of it is blocked by firewall and the rest by the respective interface.

                Can this lead to security problems? When I think about it in an amateurish way, the IDS only checks further "in the back" of the system.
                I address my security problems for the firewall itself.

                A firewall itself is pretty secure. At least it is if you don't add a ton of third-party software to it. That's why a lot of us old pros on here give folks grief when they submit new posts asking how they can add this third-party package and that third-party package to their pfSense system such as Midnight Commander or PBX software or Samba, etc. Each added package brings in more shared libraries that might contain security issues.

                So if you run a pretty clean firewall, then you are fairly secure in terms of vulnerabilities within the firewall itself. And you're not really running the IDS/IPS to protect the firewall. Instead, the IDS/IPS is protecting the hosts behind the firewall because that's where you have the wild west of software installed with things like Flash, Windows, Java and such.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.