suricata show Alert on wrong interface
-
pfsense is 2.5.0 latest snapshot
why do i see alert for the wrong ip/interface?
172.17.0.0/24 is on another interface, SRV
192.168.10.0/24 is LAN[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 213.xxx.xxx.xxx UGS pppoe0 10.0.8.1 link#13 UHS lo0 10.0.8.2 link#13 UH ovpns1 127.0.0.1 link#4 UH lo0 172.16.0.0/24 10.0.8.2 UGS ovpns1 172.17.0.0/24 link#8 U vmx1.100 172.17.0.254 link#8 UHS lo0 192.168.1.0/24 10.0.8.2 UGS ovpns1 192.168.2.0/24 link#7 U vmx1.30 192.168.2.254 link#7 UHS lo0 192.168.10.0/24 link#2 U vmx1 192.168.10.254 link#2 UHS lo0 192.168.50.0/24 link#9 U vmx1.50 192.168.50.254 link#9 UHS lo0 213.xxx.xxx.xxx link#11 UH pppoe0 216.66.80.98 213.xxx.xxx.xxx UGHS pppoe0 217.xxx.xxx.xxx link#11 UHS lo0 -
Is LAN the parent interface for those VLANs I see in the second screenshot? If so, that's why the alerts (IPs) are showing on LAN.
-
@kiokoman said in suricata show Alert on wrong interface:
172.17.0.0/24 link#8 U vmx1.100
yes it is, .. probably i never noticed if it's normal
-
Yeah, when running on the parent interface of VLANs, the PCAP logic with promiscuous mode will show everything travelling on the physical wire. That's why, when using VLANs, it is most efficient in terms of memory and CPU usage to put the IDS on the parent interface and not run multiple instances on each VLAN.
-
about:
Interface PCAP Snaplen
This value may need to be increased if the physical interface is passing VLAN traffic and expected alerts are not being received.what is a good value to put in here ? 1522 = 1500 + ethernet + vlan ?
you said it is most efficient..to put the IDS on the parent interface
is it considered wrong to have instances on each VLAN ? for example for the vlan where i have some servers running i set IPS Policy Selection to security while on the other vlans i set it as Balanced,
is it better to run only one istance and set the policy to security on the parent interface ? -
@kiokoman said in suricata show Alert on wrong interface:
about:
Interface PCAP Snaplen
This value may need to be increased if the physical interface is passing VLAN traffic and expected alerts are not being received.what is a good value to put in here ? 1522 = 1500 + ethernet + vlan ?
The snaplen parameter needs to be long enough to hold the standard Ethernet frame plus any VLAN overhead. There is still debate, it appears, on the web about what to use. A quick Google search will find several links. So sorry to say I can't give you a good answer. I put the field in the package to allow users to experiment if they felt the need. The default value is still what has always been with each IDS package. The field was added to allow those who wanted to experiment to do so.
you said it is most efficient..to put the IDS on the parent interface
is it considered wrong to have instances on each VLAN ? for example for the vlan where i have some servers running i set IPS Policy Selection to security while on the other vlans i set it as Balanced,
is it better to run only one istance and set the policy to security on the parent interface ?Nothing is generally considered "wrong" with an IDS configuration. It simply comes down to RAM and CPU utilization balanced against the security needs. If it is vital that two VLANs have different security policies applied, then running an IDS instance on each with different configured rules is what it takes. However, if you find both instances have, for all intents and purposes, the same rules, why waste RAM and CPU time with an IDS instance on each VLAN? Just run a single IDS instance on the parent and see everything in the configured VLANs.