Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort/Suricata cannot detect alert

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 4 Posters 678 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ezvink
      last edited by

      I have a network topology like this:

      664ade72-de6c-4085-9bdb-45c77d70dc7e-image.png

      I installed Snort/Suricata on pfsense, Snort/Suricata will secure the LAN network (intrnet1) with the added rules, namely NMAP, ICMP, DDOS etc.

      what I want to ask, the Snort/Suricata that I installed can't detect attacks from Attacker(Intrnet2).
      can Snort/Suricata only detect IPs registered in pfsense 192.168.15.1 (intrnet1)? I have also assigned the DHCP Server to the IP 192.168.15.1 and the host from the webserver got the IP 192.168.15.5 package installed on the webserver, namely apache.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It will detect traffic to/from all clients in the Intrnet1 subnet not just the pfSense interface IP.

        Are you seeing any alerts at all? How have you configured Snort/Suricata?

        Steve

        E 1 Reply Last reply Reply Quote 0
        • E
          ezvink @stephenw10
          last edited by

          @stephenw10
          apparently it was detected sir, but when I tried to hack the alert it appeared for a long time the information from the Suricata alert log appeared at 5:39 PM Asia/Jakarta while I did the hack at 11:30 AM Asia/Jakarta.

          What do you think is the reason for that, sir? does the specification of the PC I use have an effect?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @ezvink
            last edited by

            @ezvink system running on X that logs what it sees is going to log per what time it thinks it is.. Doesn't matter if that is correct or not..

            Did you validate time is correct on pfsense?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            NogBadTheBadN 1 Reply Last reply Reply Quote 1
            • NogBadTheBadN
              NogBadTheBad @johnpoz
              last edited by NogBadTheBad

              Run the following from the pfSense command line:-

              logger -h 172.16.2.10 -P 514 TEST

              172.16.2.10 < syslog server

              514 < syslog server port

              Do the times match ?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.