Suricata IDP/IDS on PFsense blocking all traffic
-
Hi all,
Im new with Suricata (ver. 7.0.8) running on PFSense (ver. 2.7.2), Netgate 6100. My question, is it possible to configure Suricata IDPS (Legacy or Inline) to block all traffic, but allow the traffic pointed in SID allow list via the SID Management? I understand that IPS in legacy mode wont really drop packets directly like inline IPS.
In my situation which is better option Legacy or Inline?
Also is there a solution which can collect blocked or suspicious traffic from few Suricata instances to central console perhaps via syslog?Thank you in advance
-
@Dr-Monarch said in Suricata IDP/IDS on PFsense blocking all traffic:
Hi all,
Im new with Suricata (ver. 7.0.8) running on PFSense (ver. 2.7.2), Netgate 6100. My question, is it possible to configure Suricata IDPS (Legacy or Inline) to block all traffic, but allow the traffic pointed in SID allow list via the SID Management? I understand that IPS in legacy mode wont really drop packets directly like inline IPS.
In my situation which is better option Legacy or Inline?
Also is there a solution which can collect blocked or suspicious traffic from few Suricata instances to central console perhaps via syslog?Thank you in advance
I do not understand what you mean by "SID allow list". There is no such construct within the Suricata package.
You can set the action of particular rules to PASS instead of ALERT or DROP, but generally that would only be useful when crafting your own unique whitelist rules.
If your NIC supports native netmap operation, using Inline IPS Mode is better as that allows more selective dropping of only traffic that triggers a rule. Legacy Mode blocks ALL traffic to or from an IP address that triggers a rule. That's a much more blunt enforcement mechanism.
Suricata creates extensive EVE JSON logs which third-party apps such as ELK and others can consume. But those are not supported within pfSense directly nor in its GUI. You will have to install those tools on an external device and manually configure the appropriate log scraping client on pfSense.
-
@bmeeks Thank you.
Let me elaborate more around the use of a SID list. What I want to achieve is the IPS is blocking all traffic based on ET and ETPro rules, but exclude already confirmed essential traffic (with known SID`s) in allow list. What ideally i am aiming for is all traffic is dropped until particular rule is analyzed and cleared so it can be allowed.
Hopefully that makes sense.
-
@Dr-Monarch said in Suricata IDP/IDS on PFsense blocking all traffic:
What ideally i am aiming for is all traffic is dropped until particular rule is analyzed and cleared so it can be allowed.
That's not how Suricata works -- unless I am still not understanding what you want to do. You whitelist hosts (by IP address) not SIDs (rules). There is no construct I am aware of that mimics a "whitelist" SID (Signature ID). You can certainly enable or disable particular rules (SIDs), but that will apply to all hosts.
With Legacy Mode Blocking, all rules do block when triggered. The only exception is IP addresses in the Pass List which are not blocked. These are by default local LAN hosts, gateways, DNS servers, and the WAN interface's single public IP address. Inline IPS Mode requires that you manually change rule actions to DROP for all rules which you wish to block traffic when triggered. You can do this via SID MGMT or manually using the provided icons on the ALERTS or RULES tabs.
There is no concept of a Pass List with Inline IPS Mode because that mode does not block an IP address. It instead drops the particular offending packet (the one that triggered the rule). If you want to exclude a particular IP address from enforcement action, you can use a Suppress List or change the rule's action to PASS and edit the target IP addresses in the SID as necessary.
What you can do is selectively change the action of a given SID manually. You can set the action of a given SID to ALERT, DROP, REJECT, or PASS.
