Suricata IPS
-
Hi,
Suricata in Security Onion does not support IPS directly hence we are trying to add pfsense firewall with Suricata IPS and pfsense should consume Suricata IDS alerts by the Security Onion and apply Suricata IPS filters.
Need suggestions.
Thank you!
-
@jack-jones As I can see in legacy-mode blocking pfsense is blocking the IP based on Suricata IDS alerts, But is it possible that pfsense will read Suricata alerts from the Security Onion and will only work on IPS (Blocking) and not IDS?
-
Hi,
I was using Suricata in Security Onion to get IDS alerts and since SO does not support Suricata IPS I started exploring pfSense Suricata IDS/IPS. Now I’ve Suricata IDS alerts in SO as well as in pfSense. In addition to this Suricata in pfSense can do the blocking part using legacy-mode blocking. It means IPS is sorted in pfSense.
If I want to integrate Security onion and pfSense for Suricata IDS/IPS then what would be the best possible solution:
Just forward pfSense remote logs (IPS/IDS) to the SO then have alerts on SO-Kibana and remove Suricata IDS from SO?
Forward SO Suricata IDS alerts to the pfSense using plugins and let pfSense perform only IPS (Blocking) - (sounds weird?)
Kindly share suggestions. -
Suricata on pfSense does not work that way. You could send the logs from pfSense over to Security Onion, but Suricata on pfSense is totally unaware of anything outside of pfSense and would ignore anything sent back from Security Onion.
Suricata on pfSense can run in either IDS or IPS modes. In IPS mode, Suricata on pfSense offers two "blocking" modes.
The original mode, copied actually from the Snort package on pfSense, is called Legacy Mode. That mode uses a custom output plugin compiled into the Suricata binary. That plugin gets a copy of every alert, pulls out the IP addresses, compares them to a Pass List of IP addresses that should never be blocked, and if the IP address from the alert is not on the Pass List it is blocked. The blocking is done by making a system call to the
pf
firewall engine in pfSense and adding the IP address to a built-inpf
table called snort2c. IP addresses in that table are blocked by built-in, hidden rules.There is a slightly modified version of Legacy Mode blocking that configures the custom plugin to only block an IP when the rule's action is changed to DROP. This mode is called "Block on DROPs Only", and is enabled via a checkbox on the INTERFACE SETTINGS tab for a Suricata interface. When using this option, you must change the action from ALERT to DROP for any rule which you want to block traffic. This can be done on the SID MGMT tab using the features there, or you can manually adjust the action of a rule on the RULES tab and on the ALERTS tab (for a previously triggered rule which generated an alert).
The other newer blocking mechanism is true Inline IPS Mode. This mode uses the FreeBSD netmap kernel device. This mode allows selective dropping of individual packets rather than using the blunt hammer of blocking the IP address entirely. This mode requires compatible NIC hardware, meaning a NIC that is supported by the netmap device. As with the "Block on DROPs Only" option, when using Inline IPS Mode you must change the default rule action from ALERT to DROP for any rules you wish to block traffic. You do this the same way as described previously.
-
@bmeeks Thanks a lot for the detailed answer. I will go ahead with Suricata IPS in pfSense with Legacy-mode blocking on, then send those alerts to system log and then send it to the Security Onion over syslog.
Security Onion can parse pfSense logs out of the box and then have custom Kibana Dashboards.