Hi,
I was using Suricata in Security Onion to get IDS alerts and since SO does not support Suricata IPS I started exploring pfSense Suricata IDS/IPS. Now I’ve Suricata IDS alerts in SO as well as in pfSense. In addition to this Suricata in pfSense can do the blocking part using legacy-mode blocking. It means IPS is sorted in pfSense.
If I want to integrate Security onion and pfSense for Suricata IDS/IPS then what would be the best possible solution:
- Just forward pfSense remote logs (IPS/IDS) to the SO (using syslog) then have alerts on SO-Kibana and remove Suricata IDS from SO?
- Forward Security Onion Suricata IDS alerts to the pfSense using plugins and let pfSense perform only IPS (Blocking) - (sounds weird?)
Kindly share suggestions.