Hi,
This should be simple to answer and I think I know the answer but just want to confirm.
I've set Suricata to IPS on the WAN interface.
I'm seeing a lot of alerts where the source address is an external IP address (port scans and so on).
Initially this surprised me as I'd just assumed Suricata would sit inside the firewall and only check traffic that had been allowed through the firewall.
But it appears it does this:
Router.
------------------------
Internet <---> | Suricata <-> Firewall |
-------------------------
rather than this:
Router.
------------------------
Internet <---> | Firewall <-> Suricata |
-------------------------
Is that correct?
I don't have any open ports in my firewall so for me this is just noise but is still interesting to see what's happening.
Quote from: eponymous on December 22, 2021, 06:52:38 PM
Router.
------------------------
Internet <---> | Firewall <-> Suricata |
-------------------------
That should be the right flow diagram. I see attacks to my proposed services, only. In addition to that, the IPS shows me the DNAT IP. DNAT is done by the firewall. This is my explanation approach.
Internet -> WAN address -> Suricata -> LAN address -> clients if you put Suricata on WAN interface.
Clients ->LAN address -> Suricata -> WAN address -> Internet if you put Suricata on LAN interface.
Suricata uses netmap, which intercepts traffic before it will reach the network stack. See https://docs.opnsense.org/manual/ips.html#choosing-an-interface for more info (it also explains why, for IPv4, IPS should be enabled on internal interfaces and not the external ones).
Best regards,
Ad
@Ad Thanks for confirming!
I also found https://forum.netgate.com/post/671428 (https://forum.netgate.com/post/671428) which explains the same for pfSense.
Quote...(it also explains why, for IPv4, IPS should be enabled on internal interfaces and not the external ones).
I did read that when I was first setting this up. For me I don't have a choice of interface to run Suricata on as I'm using Sensei on the LAN. However, are there any major issues, aside from NAT complications, with running it on the WAN or is it just "preferred" to run it on the LAN? I've added my external IPv4 address to the home networks fields and I can see Suricata dropping various things from outside->inside. Also I'm seeing things that are initiated from my network being dropped as well - which is great to test it's working even though they're all so far just false positives :)
Best.
@eponymous well, there are a couple of issues when using IDPS on the wan side, but that doesn't mean you can't or shouldn't use it. The main ones are the following (mostly as you already expected):
- NAT, since you don't know the origin of the traffic as it comes from your network, debugging is difficult
- False positives when it comes to traffic already being blocked by your firewall
- Rules, since most rules describe $HOME_NET verses non $HOME_NET you will need to statically define a homenet as RC1918 usually doesn't exist on your WAN