can snort/suricata secure clients using VM?
-
I have 3 VMs namely:
- VM pfsense
- VM client (lubuntu)
- VM Attacker (Kali Linux)
I want to secure the VM client by using snort/suricata which is installed on the pfsense vm but the problem I face is that my snort/suricata does not detect an attack that enters the LAN interface, but if I attack the WAN interface snort/suricata can detect it
-
@ezvink If 2 and 3 are on the same network then that traffic doesn't go through the router.
You can set up either IDS package on WAN, LAN, or even both (in which case it runs twice).
-
That's what I want to ask sir, right, the network used by VM Attacker is the same network as the VM Client, but it doesn't work, sir, to attack the client, it is not detected by snort/suricata
-
@steveits
I have also set in IDS to secure the LAN network but still it is not detected by snort/suricata -
@ezvink You should reread what SteveTS said in the first sentence above. I would be surprised if you have all three VM on the same computer, do you?
-
mean I have to differentiate network between VM 2 and 3?
I do run all three of these VMs on the same computer sir
-
@ezvink said in can snort/suricata secure clients using VM?:
That's what I want to ask sir, right, the network used by VM Attacker is the same network as the VM Client, but it doesn't work, sir, to attack the client, it is not detected by snort/suricata
Two hosts on the same network (meaning the same subnet and/or VLAN) will communicate with each other directly point-to-point. They will NOT send their traffic through any gateway or firewall on a third host. So the pfSense machine in the scenario you described will never "see" the traffic between those two hosts (your VM Attacker and VM Client) and therefore cannot generate alerts. pfSense and any IDS/IPS running on it is blind to the traffic.
The only time hosts will send traffic through a gateway or firewall is when the destination of the traffic is on a completely different network.
In your other posts here, you seem to lack basic knowledge of networking and the set up of Hypervisors. Before you try experiments with an IDS/IPS, you should first really study and learn fundamental networking theory. Even a cursory knowledge of how routing works in the OSI model would have allowed you to immediately see why your current setup will not work.