Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suricata widget only giving alerts on WAN. No LAN alerts

    IDS/IPS
    3
    4
    283
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cool_Corona last edited by

      How to change that and give the widget more than 20 alerts??

      On a busy system its hard to follow the amount of alerts going through...

      bmeeks 1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks @Cool_Corona last edited by bmeeks

        @cool_corona said in Suricata widget only giving alerts on WAN. No LAN alerts:

        How to change that and give the widget more than 20 alerts??

        On a busy system its hard to follow the amount of alerts going through...

        The widget displays the most recent alerts from all of the alert logs. So a really busy WAN may well overwhelm a not-so-busy LAN when you run instances on both. The limit of 20 is just because of the limited space on the dashboard. I wanted the widget to play nice with all the other widgets.

        But as I've said many times, there is seldom a reason for users to put an instance on their WAN. The LAN is a much better place in almost all cases. The only time I would consider an instance on the WAN is if I had internal servers exposed to the web, but even then I would create a DMZ and put the IDS instance on the DMZ and not the WAN. The WAN is always going to show a lot of useless noise because the IDS sits out in front of the firewall. Thus it will see and alert on junk the firewall is going to likely block anyway.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS @bmeeks last edited by SteveITS

          @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

          The LAN is a much better place in almost all cases

          I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0=WAN vs mvneta1=LAN on this SG-2100).

          Steve

          Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
          When upgrading, let it finish. Allow 10 minutes, or more depending on packages and device speed.

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @SteveITS last edited by

            @teamits said in Suricata widget only giving alerts on WAN. No LAN alerts:

            @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

            The LAN is a much better place in almost all cases

            I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0 vs mvneta1 on this SG-2100).

            Yeah, that's probably something I should think about changing. That was the way it worked years ago when I inherited maintenance of the Snort package and I never changed it. That default also got copied over to Suricata when I created that package.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post