opnsense, proxmox & Suricata IDS

Started by planetf1, May 14, 2024, 07:20:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 14, 2024, 07:20:19 PM
I have opnsense running on proxmox (N100, 16GB) very nicely.

Under proxmox 3 of my I226-V ports are bridged as a linux bridge, whilst the 4th is passed through to opnsense vm.
In opnsense I have a WAN interface (passthrough), and LAN (linux bridge)

I've been exploring IDS - and I may not need it, but a configuration question

Suricata is enabled in IDS mode, with promiscuous enabled. I have some port scanning detection rules installed

If I do a port scan between two lan devices (both are on a WAP, which itself is bridged) I do not get any alerts.
If I do a port scan to/from the opnsense ip then I do get alerts.

So it seems as if promiscuous mode isn't picking up the packets, and indeed capturing some wireshark traffic, both on another device on the lan, or indeed a packet capture on the lan interface on opnsense itself only shows traffic going through that interface, not just passing by (which I'd expected would be captured in promiscuous mode).

I guess that relates to the bridge config on proxmox?
Print
Go Up Pages1
User actions