Suricata and Sensei - Which NICs to activate

[ArminF]

Hello,
i did installed Sensei and it told me that some NICs are already used by the IDS/IPS Suricata.

What would be your proposal where to run which one of the apps?

IDS/IPS -> WAN
Rest NICs -> Sensei

AND my WAN is an PPOE so not sure if suricata runs on PPPOE

Looks like you cannot run it on the same nics together.

Curious how you handle this.

thanks
armin

[siga75]

I do what you proposed

IDS/IPS -> WAN
Rest NICs -> Sensei

[ArminF]

Siga, thank you for your answer.

What do you think. Would Sensei replace the IDS/IPS?

From the features it looks much more "intellegent"
Ok maybe the reporting on the IDS/IPS is poor designed within opnsense.

thanks for your thoughts!
A

[siga75]

in my opinion there's no sense to run IPS on interfaces other than WAN (remember it detect both incoming and outgoing) so you are protected from the external

sensei has more sense in the internal interfaces, it will detect also all the traffic going out to WAN since they comes from the other interfaces, you only miss traffic coming from the firewall itself.

I think it's a perfect solution

But they are two completely different products, with different purposes, Sensei is not an IDS/IPS, it's more for blocking categories of applications/websites and gives you statistic for analysis. Let's say you don't want a device can navigate to a porn site, even if no malware are there, sensei do this

[ArminF]

Mercie vielmol!

Thanks Siga, will continue to run as proposed and configured.

Keep safe and happy!
cheers A