Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    can snort/suricata secure clients using VM?

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 4 Posters 819 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ezvink
      last edited by

      I have 3 VMs namely:

      1. VM pfsense
      2. VM client (lubuntu)
      3. VM Attacker (Kali Linux)

      I want to secure the VM client by using snort/suricata which is installed on the pfsense vm but the problem I face is that my snort/suricata does not detect an attack that enters the LAN interface, but if I attack the WAN interface snort/suricata can detect it

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @ezvink
        last edited by

        @ezvink If 2 and 3 are on the same network then that traffic doesn't go through the router.

        You can set up either IDS package on WAN, LAN, or even both (in which case it runs twice).

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        E 2 Replies Last reply Reply Quote 0
        • E
          ezvink @SteveITS
          last edited by

          @steveits

          That's what I want to ask sir, right, the network used by VM Attacker is the same network as the VM Client, but it doesn't work, sir, to attack the client, it is not detected by snort/suricata

          NollipfSenseN bmeeksB 2 Replies Last reply Reply Quote 0
          • E
            ezvink @SteveITS
            last edited by

            @steveits
            I have also set in IDS to secure the LAN network but still it is not detected by snort/suricata

            1 Reply Last reply Reply Quote 0
            • NollipfSenseN
              NollipfSense @ezvink
              last edited by

              @ezvink You should reread what SteveTS said in the first sentence above. I would be surprised if you have all three VM on the same computer, do you?

              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

              E 1 Reply Last reply Reply Quote 0
              • E
                ezvink @NollipfSense
                last edited by

                @nollipfsense

                mean I have to differentiate network between VM 2 and 3?

                I do run all three of these VMs on the same computer sir

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @ezvink
                  last edited by bmeeks

                  @ezvink said in can snort/suricata secure clients using VM?:

                  @steveits

                  That's what I want to ask sir, right, the network used by VM Attacker is the same network as the VM Client, but it doesn't work, sir, to attack the client, it is not detected by snort/suricata

                  Two hosts on the same network (meaning the same subnet and/or VLAN) will communicate with each other directly point-to-point. They will NOT send their traffic through any gateway or firewall on a third host. So the pfSense machine in the scenario you described will never "see" the traffic between those two hosts (your VM Attacker and VM Client) and therefore cannot generate alerts. pfSense and any IDS/IPS running on it is blind to the traffic.

                  The only time hosts will send traffic through a gateway or firewall is when the destination of the traffic is on a completely different network.

                  In your other posts here, you seem to lack basic knowledge of networking and the set up of Hypervisors. Before you try experiments with an IDS/IPS, you should first really study and learn fundamental networking theory. Even a cursory knowledge of how routing works in the OSI model would have allowed you to immediately see why your current setup will not work.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.