Suricata widget only giving alerts on WAN. No LAN alerts


  • How to change that and give the widget more than 20 alerts??

    On a busy system its hard to follow the amount of alerts going through...


  • @cool_corona said in Suricata widget only giving alerts on WAN. No LAN alerts:

    How to change that and give the widget more than 20 alerts??

    On a busy system its hard to follow the amount of alerts going through...

    The widget displays the most recent alerts from all of the alert logs. So a really busy WAN may well overwhelm a not-so-busy LAN when you run instances on both. The limit of 20 is just because of the limited space on the dashboard. I wanted the widget to play nice with all the other widgets.

    But as I've said many times, there is seldom a reason for users to put an instance on their WAN. The LAN is a much better place in almost all cases. The only time I would consider an instance on the WAN is if I had internal servers exposed to the web, but even then I would create a DMZ and put the IDS instance on the DMZ and not the WAN. The WAN is always going to show a lot of useless noise because the IDS sits out in front of the firewall. Thus it will see and alert on junk the firewall is going to likely block anyway.


  • @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

    The LAN is a much better place in almost all cases

    I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0=WAN vs mvneta1=LAN on this SG-2100).


  • @teamits said in Suricata widget only giving alerts on WAN. No LAN alerts:

    @bmeeks said in Suricata widget only giving alerts on WAN. No LAN alerts:

    The LAN is a much better place in almost all cases

    I set up a new router for a client today. When creating a new interface it defaults to WAN...I thought of this thread. Perhaps it should default to LAN? (this was Snort but I know it's the same code in pfSense). Possibly this is tied to the interface id (mvneta0 vs mvneta1 on this SG-2100).

    Yeah, that's probably something I should think about changing. That was the way it worked years ago when I inherited maintenance of the Snort package and I never changed it. That default also got copied over to Suricata when I created that package.