Detecting specific anomalous traffic
-
There's lots of anomalous traffic that will just get dropped at the firewall, and rightly so. Firewall logs are painfully boring as it is. However, I'd like for some anomalous conditions to generate an alert, and I'm not sure how to achieve that with pfsense.
For example, if an internal host sends out a SYN, and the firewall relays that and receives two valid SYN/ACK responses - not one, not a flood, but exactly two - that tells me somebody is monitoring traffic on an upstream router and is using that to try to get at my network. I'd really like to know about that. It should be easy to detect.
Default behavior at the firewall is to just drop the second SYN/ACK packet and I'm never going to see anything in the logs.
Any ideas?
-
You could investigate the stream-events rules in Suricata. It's possible some of those might detect that. When you install one of the IDS/IPS packages (Suricata or Snort) on pfSense, the package sniffs traffic between the physical NIC and the firewall rules engine. So the IDS would see all inbound WAN traffic if run on the WAN interface before anything within the pfSense firewall engine or even the kernel networking stack touched that traffic.
There is nothing native within pfSense that "alerts" on anything. It is a firewall that passes, blocks or rejects traffic. It logs what it does, but it does not generate "alerts" in the classical sense. You would need to send the pertinent logs to an offline SIEM of some sort for further analysis and alerting from the SIEM tool. This holds true for the IDS/IPS packages as well. While they both have GUI displays where you can examine alerts, they don't send emails or otherwise externally alert the admin. Again, that would be something a third-party SIEM tool would do by examining exported logs from pfSense.
-
Thanks! Yes, Suricata's stream-events seem to have what I'm looking for, if I configure it correctly.
