Suricata - interfaces

mkcharlie

Hi,

So my use case: I want simple IDS functionality with alerting - no blocking whatsoever (yet?). Running pfsense plus.

I’ve read a couple of times now that you should enable Suricata on the physical interface, not on the VLAN interface. However, these VLAN interfaces do show up in the list, and I guess sometimes you want to have rules that consider VLAN2 as ‘external net’.

My interfaces are the following:
WAN (lagg0.4090)
MGMT (lagg0.4091)
IXOMGMT (ix0)
MONITORINGOPT3 (igbO)
ALARM (i×0.701)
IOT (ix0.702)
STUDIO (i×0.705)
STUDENT (ix0.707)
GUEST (ix0.708)
OFFICEWIRED(i×0.709)
OFFICEWIRELESS (ix0.710)
Unassigned

So:

• should I enable Suricata on ix0, or rather on the vlans separately (eg ix0.709)?
• if the former, then should I copy that instance a couple of times to be able to alter the home net and the external net variables?

Thanks for any pointers.

bmeeks

Enabling on the parent interface (ix0 in your case) would be suggested. Suricata will, by default, place the interface it is enabled on in promiscuous mode. That means all traffic hitting the NIC will be seen by Suricata and checked regardless of any VLAN tag or the assigned IP subnet.

The automatic HOME_NET and EXTERNAL_NET generation logic in the package will populate those variables using all the IP addresses/subnets defined on locally-attached interfaces (including VLANs). So the HOME_NET and EXTERNAL_NET variable will be default populated with the correct values.

If you want to customize the HOME_NET or EXTERNAL_NET values for a given VLAN, then you would need to create an instance for that VLAN. But even then the default configuration enables promiscuous mode so the instance will still see all the traffic on the underlying parent interface (unless you specifically disable promiscuous mode on the instance).

So to sum this up, when using non-blocking mode you do have the option of creating Suricata instances on a per-VLAN basis, but it still is likely to see traffic from the parent and trigger on it. So why not just save the RAM usage caused by duplicate VLAN instances and just run a single instance on the parent?

mkcharlie

@bmeeks
Thank you very much for the suggestion. I now enabled it on the ix0 interface, let's see how it runs. I thought perhaps the RAM/CPU usage would be lower when I only selected one VLAN, but I understand that it does not really matter: all traffic of the physical interface will be analyzed anyway.

Now, regarding the point about VLAN-to-VLAN monitoring. Imagine I'd like to get alerts when IOT attacks a client in OFFICEWIRED. That won't work if I have just a single Suricata instance running on ix0, right? Because most rules do not consider home=>home traffic. For example: the emerging-scan rules look at external_net as source.

bmeeks

@mkcharlie said in Suricata - interfaces:

@bmeeks
Now, regarding the point about VLAN-to-VLAN monitoring. Imagine I'd like to get alerts when IOT attacks a client in OFFICEWIRED. That won't work if I have just a single Suricata instance running on ix0, right? Because most rules do not consider home=>home traffic. For example: the emerging-scan rules look at external_net as source.

Correct, almost none of the canned ET nor Snort VRT rules will look at HOME_NET to HOME_NET type of traffic. They are mostly geared towards protecting from external threats and thus tend to want EXTERNAL_NET in the conditional part of the rule. You could, of course, create your own custom rules with any combination of source and destination IP addresses and ports.

And I assume you already know this, but will mention it anyway in case others come across this thread in the future. Traffic between hosts in the same VLAN or network will not be seen by Suricata on the firewall because such traffic will go from point-to-point through the Ethernet switch directly between those hosts and bypass the firewall (and thus Suricata) completely.

mkcharlie

@bmeeks
Thinking about it, if I simply add the VLAN subnets to the ‘external-net’ variable (and keep them also in the home net variable), wouldn’t then the external net -> home net alert rules trigger?

Like you say, traffic inside the vlan does not pass the firewall anyway, so it shouldn’t mess things up too badly?

bmeeks

If you mix internal networks into EXTERNAL_NET, you very likely will increase the number of false positive alerts from routine traffic.

If you have specific design goals, it is very easy to provide your own customized rules. You add them by choosing Custom Rules in the drop-down on the RULES tab and then typing in or pasting in the rules you need. They will be combined with any other rules from previously selected categories.