suricata show Alert on wrong interface


  • LAYER 8

    pfsense is 2.5.0 latest snapshotImmagine.jpg
    why do i see alert for the wrong ip/interface?
    172.17.0.0/24 is on another interface, SRV
    192.168.10.0/24 is LAN

    [2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags     Netif Expire
    default            213.xxx.xxx.xxx     UGS      pppoe0
    10.0.8.1           link#13            UHS         lo0
    10.0.8.2           link#13            UH       ovpns1
    127.0.0.1          link#4             UH          lo0
    172.16.0.0/24      10.0.8.2           UGS      ovpns1
    172.17.0.0/24      link#8             U      vmx1.100
    172.17.0.254       link#8             UHS         lo0
    192.168.1.0/24     10.0.8.2           UGS      ovpns1
    192.168.2.0/24     link#7             U       vmx1.30
    192.168.2.254      link#7             UHS         lo0
    192.168.10.0/24    link#2             U          vmx1
    192.168.10.254     link#2             UHS         lo0
    192.168.50.0/24    link#9             U       vmx1.50
    192.168.50.254     link#9             UHS         lo0
    213.xxx.xxx.xxx     link#11            UH       pppoe0
    216.66.80.98       213.xxx.xxx.xxx     UGHS     pppoe0
    217.xxx.xxx.xxx     link#11            UHS         lo0
    


  • Is LAN the parent interface for those VLANs I see in the second screenshot? If so, that's why the alerts (IPs) are showing on LAN.


  • LAYER 8

    @kiokoman said in suricata show Alert on wrong interface:

    172.17.0.0/24 link#8 U vmx1.100

    yes it is, .. probably i never noticed if it's normal



  • Yeah, when running on the parent interface of VLANs, the PCAP logic with promiscuous mode will show everything travelling on the physical wire. That's why, when using VLANs, it is most efficient in terms of memory and CPU usage to put the IDS on the parent interface and not run multiple instances on each VLAN.


  • LAYER 8

    @bmeeks

    about:

    Interface PCAP Snaplen
    This value may need to be increased if the physical interface is passing VLAN traffic and expected alerts are not being received.

    what is a good value to put in here ? 1522 = 1500 + ethernet + vlan ?

    you said it is most efficient..to put the IDS on the parent interface

    is it considered wrong to have instances on each VLAN ? for example for the vlan where i have some servers running i set IPS Policy Selection to security while on the other vlans i set it as Balanced,
    is it better to run only one istance and set the policy to security on the parent interface ?



  • @kiokoman said in suricata show Alert on wrong interface:

    @bmeeks

    about:

    Interface PCAP Snaplen
    This value may need to be increased if the physical interface is passing VLAN traffic and expected alerts are not being received.

    what is a good value to put in here ? 1522 = 1500 + ethernet + vlan ?

    The snaplen parameter needs to be long enough to hold the standard Ethernet frame plus any VLAN overhead. There is still debate, it appears, on the web about what to use. A quick Google search will find several links. So sorry to say I can't give you a good answer. I put the field in the package to allow users to experiment if they felt the need. The default value is still what has always been with each IDS package. The field was added to allow those who wanted to experiment to do so.

    you said it is most efficient..to put the IDS on the parent interface

    is it considered wrong to have instances on each VLAN ? for example for the vlan where i have some servers running i set IPS Policy Selection to security while on the other vlans i set it as Balanced,
    is it better to run only one istance and set the policy to security on the parent interface ?

    Nothing is generally considered "wrong" with an IDS configuration. It simply comes down to RAM and CPU utilization balanced against the security needs. If it is vital that two VLANs have different security policies applied, then running an IDS instance on each with different configured rules is what it takes. However, if you find both instances have, for all intents and purposes, the same rules, why waste RAM and CPU time with an IDS instance on each VLAN? Just run a single IDS instance on the parent and see everything in the configured VLANs.


Log in to reply