[Oisf-users] Using Suricata with OpenBSD HA Firewalls
Andreas Herz
andi at geekosphere.org
Mon Nov 28 22:11:22 UTC 2016
On 28/11/16 at 10:50, C. L. Martinez wrote:
> Hi all,
>
> I have installed Suricata 3.1.3 release in a pair of OpenBSD CARP'ed
> firewalls (for HA availability). My idea is to sniff/monitor only
> internal connections, but I have a doubt about what interface I need
> to configure for suricata. My first test was to sniff/monitor
> physical interface running suricata with -i switch, but I received a
> lot of alerts like these:
Could you be more specific about how you run suricata (the command) and
how your setup and configuration looks like?
> .. which it is certainly true, because these OpenBSD firewalls are
> configured to balance traffic ... Changing to use carp interfaces, no
> alert is triggered but suricata sees packets:
In this mode (again please post the commandline if possible) do you
expect to see alerts? Many rules are related to "EXTERNAL_NET" and thus
might not trigger within your local network unless you configure it
correct.
--
Andreas Herz
More information about the Oisf-users
mailing list