Can Snort or Surricata help prevent vulnerability attacks on IOT devices

Hi, Everyone.

Just asking about the topic mention, if this was answered before may I request a link to the previous forum. Since IoT devices is unavoidable, I just want to know if there is a way to secure it against possible vulnerability attack (aside form keeping it updated). I know keeping the devices updated is the best to do this. I just want to know if atleast the IDS/IPS system would help.

Don’t think the answer is a simple yes or no, no point having a poorly configured Surricata on an insecure network!
Personally I’m in the (long) process of setting up Security Onion on my network so I get some more insight as to what is happening if anything.

The steps I’ve taken to try and keep my network secure which have a few IoT devices include:

  1. Use vLans to segment my network
  2. My IPcam vlan can’t get out or access other vlans
  3. My IoT vlan can access the WAN but not other vlans, additionally it exits via a VPN connection.
  4. On my network-devices I use non-standard usernames with the longest password accepted. Where I can I disable the admin account.
  5. My cameras and wifi devices are all on 802.1x which are encapsulated with an OpenVPN connection.

As I’m running PfSense these are all features which are fairly easy to set up. Is my network and devices on it secure ? Well the only way to know for sure is to pay a Pentester and see if they can get in !

Thinking devices are secure because they are updated is probably the biggest vulnerability … have several devices where they work ok but are no longer supported, that’s the better scenario to plan for.

Hi, Neogrid.

thanks for the input greatly appreciated.

In regards to Radius setup, did you use free radius? If yes did you separate it from pfsense or use the pfsense package?


Yes I used the service on PfSense … further I would add that I also use separate certificates and credentials for OpenVPN per device per user per ovpn server, probably sounds over the top but as these are easy steps I may as well do them plus if I lose my mobile much easier to remove the device from the server without affecting other users.

So I’d say there are some easy things you can do too :slight_smile:

Suricata and Snort can help, but nothing is foolproof. And you may spend a lot of time clearing rules for legitimate activity. I recently had a new rule block me while trying to download software from a company, they use Akamai as a CDN to handle the bandwidth and file sizes. One week it worked fine, then next gets blocked. I’m guessing someone was spreading an attack by way of the Akamai CDN. This was an Emerging Threats rule (ET). So you are going to need to constantly chase these rules when something doesn’t work.

But as part of the puzzle, it will help.

As mentioned, segmenting networks with rules that prevent hopping from one to the other also help.

You could also do something like e2guardian and blanket block everything, then open only sites you need. This only works if you have a relatively small number of sites you need working. Might be OK for iot devices, but certainly not great for general wireless devices unless you really only want certain things working. Sorting through all the sites that a single web page might use can be a job, I think I have 10 for google/YouTube, and one local news station site had like 15 before I could get their videos to play.