1
Intrusion Detection and Prevention / Suricata - where?
« on: May 17, 2024, 02:28:00 pm »
I am running opnsense (current) under proxmox. My WAN port is currently pass-through, whilst LAN is using a proxmox/linux bridge. Works great. Out of the bridged lan are some devices (direct), A wireless access point (eero) in bridged mode, and some dumb switches.
For IDS/IDP if I were to run on WAN, I’ll get a whole lot of irrelevant noise — I allow virtually zero traffic in, but ssuricata captures the data before the firewall. Q1 - is there a way to get suricata to only look at traffic after the firewall rules are applied?
Alternatively I tried running only on the LAN. This also has the benefit of potentially looking at any dodgy stuff internal to the network. But when I tried it (even in promiscuous mode() I could only see traffic that was going to/from the router & not other lan traffic
I suspect the answer to both is that it’s possible with some interface changes - maybe another intermediate interface for the first, and perhaps linux (proxmox) configuration on the latter.
I’m also interested in IDS to understand more about the traffic on my lan, including understanding what encryption is in use (and details like curves, use of PQC etc) but the above is a prerequisite to even thinking about this…
For IDS/IDP if I were to run on WAN, I’ll get a whole lot of irrelevant noise — I allow virtually zero traffic in, but ssuricata captures the data before the firewall. Q1 - is there a way to get suricata to only look at traffic after the firewall rules are applied?
Alternatively I tried running only on the LAN. This also has the benefit of potentially looking at any dodgy stuff internal to the network. But when I tried it (even in promiscuous mode() I could only see traffic that was going to/from the router & not other lan traffic
I suspect the answer to both is that it’s possible with some interface changes - maybe another intermediate interface for the first, and perhaps linux (proxmox) configuration on the latter.
I’m also interested in IDS to understand more about the traffic on my lan, including understanding what encryption is in use (and details like curves, use of PQC etc) but the above is a prerequisite to even thinking about this…