Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata widget only giving alerts on WAN. No LAN alerts

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 745 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Cool_CoronaC
      Cool_Corona
      last edited by

      How to change that and give the widget more than 20 alerts??

      On a busy system its hard to follow the amount of alerts going through...

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Cool_Corona
        last edited by bmeeks

        @cool_corona said in Suricata widget only giving alerts on WAN. No LAN alerts:

        How to change that and give the widget more than 20 alerts??

        On a busy system its hard to follow the amount of alerts going through...

        The widget displays the most recent alerts from all of the alert logs. So a really busy WAN may well overwhelm a not-so-busy LAN when you run instances on both. The limit of 20 is just because of the limited space on the dashboard. I wanted the widget to play nice with all the other widgets.

        But as I've said many times, there is seldom a reason for users to put an instance on their WAN. The LAN is a much better place in almost all cases. The only time I would consider an instance on the WAN is if I had internal servers exposed to the web, but even then I would create a DMZ and put the IDS instance on the DMZ and not the WAN. The WAN is always going to show a lot of useless noise because the IDS sits out in front of the firewall. Thus it will see and alert on junk the firewall is going to likely block anyway.

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @bmeeks
          last edited by SteveITS

          @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

          The LAN is a much better place in almost all cases

          I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0=WAN vs mvneta1=LAN on this SG-2100).

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @SteveITS
            last edited by

            @teamits said in Suricata widget only giving alerts on WAN. No LAN alerts:

            @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

            The LAN is a much better place in almost all cases

            I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0 vs mvneta1 on this SG-2100).

            Yeah, that's probably something I should think about changing. That was the way it worked years ago when I inherited maintenance of the Snort package and I never changed it. That default also got copied over to Suricata when I created that package.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.