Suricata widget only giving alerts on WAN. No LAN alerts

Cool_Corona

How to change that and give the widget more than 20 alerts??

On a busy system its hard to follow the amount of alerts going through...

bmeeks

@cool_corona said in Suricata widget only giving alerts on WAN. No LAN alerts:

How to change that and give the widget more than 20 alerts??

On a busy system its hard to follow the amount of alerts going through...

The widget displays the most recent alerts from all of the alert logs. So a really busy WAN may well overwhelm a not-so-busy LAN when you run instances on both. The limit of 20 is just because of the limited space on the dashboard. I wanted the widget to play nice with all the other widgets.

But as I've said many times, there is seldom a reason for users to put an instance on their WAN. The LAN is a much better place in almost all cases. The only time I would consider an instance on the WAN is if I had internal servers exposed to the web, but even then I would create a DMZ and put the IDS instance on the DMZ and not the WAN. The WAN is always going to show a lot of useless noise because the IDS sits out in front of the firewall. Thus it will see and alert on junk the firewall is going to likely block anyway.

teamits

@bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

The LAN is a much better place in almost all cases

I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0=WAN vs mvneta1=LAN on this SG-2100).

bmeeks

@teamits said in Suricata widget only giving alerts on WAN. No LAN alerts:

@bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

The LAN is a much better place in almost all cases

I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0 vs mvneta1 on this SG-2100).

Yeah, that's probably something I should think about changing. That was the way it worked years ago when I inherited maintenance of the Snort package and I never changed it. That default also got copied over to Suricata when I created that package.