Suricata: does it operate outside firewall or inside?

Started by eponymous, December 22, 2021, 06:52:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 22, 2021, 06:52:38 PM
Hi,

This should be simple to answer and I think I know the answer but just want to confirm.

I've set Suricata to IPS on the WAN interface.

I'm seeing a lot of alerts where the source address is an external IP address (port scans and so on).

Initially this surprised me as I'd just assumed Suricata would sit inside the firewall and only check traffic that had been allowed through the firewall.

But it appears it does this:

Code Select
                        Router.
               ------------------------
Internet <---> | Suricata <-> Firewall |
               -------------------------


rather than this:

Code Select
                        Router.
               ------------------------
Internet <---> | Firewall <-> Suricata |
               -------------------------



Is that correct?

I don't have any open ports in my firewall so for me this is just noise but is still interesting to see what's happening.
December 22, 2021, 11:13:59 PM #1
Quote from: eponymous on December 22, 2021, 06:52:38 PM

Code Select
                        Router.
               ------------------------
Internet <---> | Firewall <-> Suricata |
               -------------------------


That should be the right flow diagram. I see attacks to my proposed services, only. In addition to that, the IPS shows me the DNAT IP. DNAT is done by the firewall. This is my explanation approach.
OPNsense consulting, installation, configuration and care by DU Consult
December 22, 2021, 11:47:12 PM #2
Internet -> WAN address -> Suricata -> LAN address -> clients if you put Suricata on WAN interface.

Clients ->LAN address -> Suricata -> WAN address -> Internet if you put Suricata on LAN interface.
December 23, 2021, 10:15:36 AM #3
Suricata uses netmap, which intercepts traffic before it will reach the network stack. See https://docs.opnsense.org/manual/ips.html#choosing-an-interface for more info (it also explains why, for IPv4, IPS should be enabled on internal interfaces and not the external ones).

Best regards,

Ad
December 23, 2021, 05:34:13 PM #4
@Ad Thanks for confirming!

I also found https://forum.netgate.com/post/671428 which explains the same for pfSense.

Quote...(it also explains why, for IPv4, IPS should be enabled on internal interfaces and not the external ones).

I did read that when I was first setting this up. For me I don't have a choice of interface to run Suricata on as I'm using Sensei on the LAN. However, are there any major issues, aside from NAT complications, with running it on the WAN or is it just "preferred" to run it on the LAN? I've added my external IPv4 address to the home networks fields and I can see Suricata dropping various things from outside->inside. Also I'm seeing things that are initiated from my network being dropped as well - which is great to test it's working even though they're all so far just false positives :)

Best.
December 23, 2021, 05:43:38 PM #5
@eponymous well, there are a couple of issues when using IDPS on the wan side, but that doesn't mean you can't or shouldn't use it. The main ones are the following (mostly as you already expected):


  • NAT, since you don't know the origin of the traffic as it comes from your network, debugging is difficult
  • False positives when it comes to traffic already being blocked by your firewall
  • Rules, since most rules describe $HOME_NET verses non $HOME_NET you will need to statically define a homenet as RC1918 usually doesn't exist on your WAN

Print
Go Up Pages1
User actions