OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Wayne Train on July 20, 2017, 12:52:48 pm
-
Hi,
I've some questions regarding IDS-Tuning and the setup itself. First of all: In the Wiki Suricata is only listening on WAN. Is this correct ? I mean, doesn't it make sense to make it listen on LAN or on LAN, too? From my point of understanding if it listens on WAN, I only receive alerts that contain my public IP, but not the IP from a LAN-side host, that may be communicating with a C'n'C Server.
How do you manage this? Do you listen on both interfaces?
And what about the tuning process? Is there any good tutorial regarding OPN and Suricata? I googled this, but I didn't find anything like this. Only some youtube tutorials on PFsense and suricata, but on PF suricata seems to have a lot more features / views / menus...
My first idea was to enable IPS and switch the rules to alert only and then check if the rules match to my network, if the alerts are false positives a.s.o and then disable all the rules unneeded and later drop the true positives on drop.
I would appreciate if someone would share some ideas on this.
Best regards.
Wayne
-
Hi Wayne,
You're on the right track - generally you pick the rules that roughly apply to your setup and then see what alerts you get before switching on IPS.
It makes sense to listen on both interfaces in promiscuous mode to get the best coverage.
Bart...
-
Hi Wayne,
For an encompassing analysis, you should listen on both external and internal networks. Some rules are tailored for the one, some for the other. It depends on what you want to achieve.
One of the main tuning options is the MPM-Algorithm (Multi-Pattern-Matcher), you can use Hyperscan on amd64 to speed things up. Having more features and knobs is nice, but it does not matter all that much, unless you want to be looking at commercial IPS with all those features instead. We try not to cover both sides.
Cheers,
Franco