Suricata - where?

[planetf1]

I am running opnsense (current) under proxmox. My WAN port is currently pass-through, whilst LAN is using a proxmox/linux bridge. Works great. Out of the bridged lan are some devices (direct), A wireless access point (eero) in bridged mode, and some dumb switches.

For IDS/IDP if I were to run on WAN, I’ll get a whole lot of irrelevant noise — I allow virtually zero traffic in, but ssuricata captures the data before the firewall. Q1 - is there a way to get suricata to only look at traffic after the firewall rules are applied?


Alternatively I tried running only on the LAN. This also has the benefit of potentially looking at any dodgy stuff internal to the network. But when I tried it (even in promiscuous mode() I could only see traffic that was going to/from the router & not other lan traffic

I suspect the answer to both is that it’s possible with some interface changes - maybe another intermediate interface for the first, and perhaps linux (proxmox) configuration on the latter.

I’m also interested in IDS to understand more about the traffic on my lan, including understanding what encryption is in use (and details like curves, use of PQC etc) but the above is a prerequisite to even thinking about this…

[ecce]

Alternatively I tried running only on the LAN. This also has the benefit of potentially looking at any dodgy stuff internal to the network. But when I tried it (even in promiscuous mode() I could only see traffic that was going to/from the router & not other lan traffic

That sounds right to me. The switches will only forward traffic to the firewall LAN interface if the MAC address in the ethernet header is that of the Firewall LAN interface. That will happen when each client inside your network decides to use the gateway as next L2 hop. Inspecting on LAN interface is probably what you want, You'll catch your clients trying to connect to dodgy hosts on the internet, and you can identify those internal clients by IP address and/or MAC address.

Getting horizontal network traffic is not easy. I know of two ways:
- Buy Cisco 9000 series switches or similar and StealthWatch or whatever they call it now.
- Configure span ports on switches that dump all traffic to a separate interface on the firewall. If you have dumb switches that is not an option, and besides it is a really ugly solution that might work for a small network only.

Regarding your other questions I have no idea.

[planetf1]

thanks. I think I've figured out now that I could capture all the lan traffic - but I'm not going to try. I'll just stick with monitoring lan which will capture all in/out traffic.