Snort/Suricata cannot detect alert
-
I have a network topology like this:
I installed Snort/Suricata on pfsense, Snort/Suricata will secure the LAN network (intrnet1) with the added rules, namely NMAP, ICMP, DDOS etc.
what I want to ask, the Snort/Suricata that I installed can't detect attacks from Attacker(Intrnet2).
can Snort/Suricata only detect IPs registered in pfsense 192.168.15.1 (intrnet1)? I have also assigned the DHCP Server to the IP 192.168.15.1 and the host from the webserver got the IP 192.168.15.5 package installed on the webserver, namely apache. -
It will detect traffic to/from all clients in the Intrnet1 subnet not just the pfSense interface IP.
Are you seeing any alerts at all? How have you configured Snort/Suricata?
Steve
-
@stephenw10
apparently it was detected sir, but when I tried to hack the alert it appeared for a long time the information from the Suricata alert log appeared at 5:39 PM Asia/Jakarta while I did the hack at 11:30 AM Asia/Jakarta.What do you think is the reason for that, sir? does the specification of the PC I use have an effect?
-
@ezvink system running on X that logs what it sees is going to log per what time it thinks it is.. Doesn't matter if that is correct or not..
Did you validate time is correct on pfsense?
-
Run the following from the pfSense command line:-
logger -h 172.16.2.10 -P 514 TEST
172.16.2.10 < syslog server
514 < syslog server port
Do the times match ?