Suricata alerting on closed ports - Why?

  • Hi Guys,

    Just starting with Suricata so forgive me if this is a dumb question.

    I have port forwarding on for a given port on a server with a virtual IP. My understanding is that the firewall will block by default and only allow traffic I specify. So to that end, I'm surprised that suricata is alerting on port 143 as below

    Misc Attack	Source IP(x.x.x.)	63899	to x.x.x.x (one of my virtual IP's)  dest port143 1:2403382      ET CINS Active Threat Intelligence Poor Reputation IP group 83

    Is Suricata simply inspecting traffic before it hits my firewall ? If so I thought the idea was to help suricata out by blocking unwanted traffic or am I missing something?


  • @nikmiddleton Understand that the NIC and hence Suricata sees traffic before the firewall does.

  • @NollipfSense is correct. Suricata (or Snort, if you use it) see traffic the instant it leaves the hardware NIC before the firewall engine and its rules see or act on the traffic.

    So, for example, if you have Suricata on the WAN, then inbound packets come off your NIC and hit Suricata for inspection before any firewall rules have been applied. In actual fact, when using Legacy Mode Blocking, Suricata gets copies of packets from the NIC while the original packet is sent on to the firewall engine. For outbound traffic, the opposite is true. Firewall rules and NAT are applied and then Suricata sees the packet as it exits the NIC onto the wire.

    A similar thing occurs on the LAN side. Suricata sees traffic coming from your LAN side into the firewall BEFORE any firewall rules are applied. Conversely, Suricata sees traffic coming from your firewall into the LAN interface AFTER any firewall rules are applied.

  • That makes sense now

    Thank you,

Log in to reply