Suricata/Snort and VPN protection



  • Hi all,
    I'm newbie with IPS/IDS systems, and didn't find the answer to my question.
    In snort or suricata, it seems that only physical interfaces can be declared for traffic inspection/protection.
    In my case, I'd like suricata to check traffic entering pfSense via an IPsec endpoint. But I don't find any "virtual interface" to declare and set up in suricata. Of course, the IPsec endpoint comes in my WAN physical interface, but will suricata be able to check traffic inside the tunnel (say, SQL injection, for example) ?
    Thank you !  :)
    Pierre



  • Well, I read in a former topic (102457) a way to inspect traffic inside VPN is to create a new interface, in Interfaces menu.
    Unfortunately it seems this new interface only appears when it comes to OpenVPN VPN… not IPsec  :(
    Any help would be appreciated ! ;)
    Thanks !



  • Setting up both, Suricata and Snort will be not a good idea, for sure it can be done but in usual and the
    most common set ups it might be better to go only with one solution. You can also set up Snort or Suricata
    to inspect or sniff at your LAN interface, so all traffic passing the WAN and/or the VPN will be inspected if it
    reach the LAN interface.



  • Did it !  :D  Great !
    In effect, I only intend to set up Suricata for the moment.
    Thank you a lot !


Log in to reply