Suricata legacy mode?

[cobrax2]

hi
since i have pppoe on wan, i can't use inline mode with suricata
how can i switch to legacy?
thanks

[franco]

It's easy: don't enable IPS mode. :)


Cheers,
Franco

[cobrax2]

lol, but does it allow to block then? from what i've read, ids mode only alerts, does not block.
also, does it work on pppoe connections? as it doesnt seem to
thanks

[franco]

I'm not sure what "legacy" is to you. We have PCAP mode (IPS unticked) and Netmap mode (IPS ticked).


Cheers,
Franco

[cobrax2]

yes, pcap is what i am looking for
i come from pfsense, which had snort, and it worked on wan on "legacy mode" that is when the packets are copied instead of it being "inline" and it still worked with a small delay from what i understand, because on a match it still closed the connections.
but if i use suricata, even in ids mode, it doesn't show anything being blocked :(
isn't it supposed to work with pppoe in ids mode?
thanks again!

[franco]

Hi,

Ah yes... context :)

We don't have this out-of -band IP block via pf table, because it's simply insecure. When it blocks, you have already been exploited.


Cheers,
Franco

[cobrax2]

oh
then what are my choices, seeing that i have a pppoe connection?
or why doesnt suricata work even on lan interface?
thanks

[chemlud]

...sounds like you are struggeling to get suricata to work at all. which rule sets do you have enabled?

https://docs.opnsense.org/manual/ips.html#choosing-an-interface

... and the whole rest of the documentation will help you to make some decisions. A bit of a difference to snort on pfsense, if you start from the scratch.

[cobrax2]

in the log, it says that it is started, lol
i have some et rules enabled, they are downloaded and seem to be ok.
i just dont know how to make it work.
if "legacy" mode doesnt work, i cant enable suricata on wan, then i cant see if any of the rules get hit, because i have no open ports to the exterior atm.
if i enable it on lan, they also dont seem to work, as i tried some sites that say they test the ids and everything went to the antivirus

[cobrax2]

sorry for my ignorance, i am not an expert, but i am trying to solve my problem
is there any way to do this?
i have another free ethernet port on the router, can i do somehow an instance that connects to the pppoe wan server on that port, decode the pppoe layer and then pass the traffiic to the true wan port, like bridging them? like adding another physical pppoe router in front of the main one without really adding it?
thanks again

[franco]

Well, run IPS on LAN in that case is what I would have suggested too.

What sort of hardware / network devices are we talking about? Does traffic not pass through or not? If it passes does not not block?


Cheers,
Franco

[cobrax2]

i managed to get it working on lan, but i do have a few services on the server wan side that i'd like to protect: vpn and ssh for now. so i'd like to run suricata on wan.
my setup is: i have a pc, 2 intel gb pci (em0 and em1), one for wan and one for lan. the mb has also a lan adapter that is free. is it possible to use this spare adapter to use it as a ppoe client and then bridge it to the em0 wan adapter somehow so suricata running on em0 will "see" it as standard interface and work on it?
thanks again for your willingness to help me

[franco]

Both protocols are encrypted and will not give you extra security being run through an IDS or IPS.


Cheers,
Franco

[cobrax2]

ok, cool
but i would still want to do it for some other ones that i might add later
is there a way to use the 3rd adapter?

[cobrax2]

i investigated some more, i think the 3rd adapter must not be in bridge mode, as it will still pass the pppoe authentication to the other adapter.
so it would have to be somehow in router mode, then the other intel would have to be nat'ed but declared somehow as external and run suricata, and the second intel as lan
but then i'd be double nat'ed, which is not good, right?