Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
SURICATA IDS-Mode Tuning & Questions
« previous
next »
Print
Pages: [
1
]
Author
Topic: SURICATA IDS-Mode Tuning & Questions (Read 6636 times)
Wayne Train
Full Member
Posts: 194
Karma: 12
SURICATA IDS-Mode Tuning & Questions
«
on:
July 20, 2017, 12:52:48 pm »
Hi,
I've some questions regarding IDS-Tuning and the setup itself. First of all: In the Wiki Suricata is only listening on WAN. Is this correct ? I mean, doesn't it make sense to make it listen on LAN or on LAN, too? From my point of understanding if it listens on WAN, I only receive alerts that contain my public IP, but not the IP from a LAN-side host, that may be communicating with a C'n'C Server.
How do you manage this? Do you listen on both interfaces?
And what about the tuning process? Is there any good tutorial regarding OPN and Suricata? I googled this, but I didn't find anything like this. Only some youtube tutorials on PFsense and suricata, but on PF suricata seems to have a lot more features / views / menus...
My first idea was to enable IPS and switch the rules to alert only and then check if the rules match to my network, if the alerts are false positives a.s.o and then disable all the rules unneeded and later drop the true positives on drop.
I would appreciate if someone would share some ideas on this.
Best regards.
Wayne
Logged
bartjsmit
Hero Member
Posts: 2014
Karma: 194
Re: SURICATA IDS-Mode Tuning & Questions
«
Reply #1 on:
July 20, 2017, 06:36:42 pm »
Hi Wayne,
You're on the right track - generally you pick the rules that roughly apply to your setup and then see what alerts you get before switching on IPS.
It makes sense to listen on both interfaces in promiscuous mode to get the best coverage.
Bart...
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: SURICATA IDS-Mode Tuning & Questions
«
Reply #2 on:
July 21, 2017, 02:22:08 pm »
Hi Wayne,
For an encompassing analysis, you should listen on both external and internal networks. Some rules are tailored for the one, some for the other. It depends on what you want to achieve.
One of the main tuning options is the MPM-Algorithm (Multi-Pattern-Matcher), you can use Hyperscan on amd64 to speed things up. Having more features and knobs is nice, but it does not matter all that much, unless you want to be looking at commercial IPS with all those features instead. We try not to cover both sides.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
SURICATA IDS-Mode Tuning & Questions