[Oisf-users] Using Suricata with OpenBSD HA Firewalls

Andreas Herz andi at geekosphere.org
Mon Nov 28 22:11:22 UTC 2016

On 28/11/16 at 10:50, C. L. Martinez wrote:
> Hi all,
>  I have installed Suricata 3.1.3 release in a pair of OpenBSD CARP'ed
>  firewalls (for HA availability). My idea is to sniff/monitor only
>  internal connections, but I have a doubt about what interface I need
>  to configure for suricata. My first test was to sniff/monitor
>  physical interface running suricata with -i switch, but I received a
>  lot of alerts like these:

Could you be more specific about how you run suricata (the command) and
how your setup and configuration looks like?

>  .. which it is certainly true, because these OpenBSD firewalls are
>  configured to balance traffic ... Changing to use carp interfaces, no
>  alert is triggered but suricata sees packets:

In this mode (again please post the commandline if possible) do you
expect to see alerts? Many rules are related to "EXTERNAL_NET" and thus
might not trigger within your local network unless you configure it

Andreas Herz

More information about the Oisf-users mailing list