pfSense + Suricata + Security Onion


I was using Suricata in Security Onion to get IDS alerts and since SO does not support Suricata IPS I started exploring pfSense Suricata IDS/IPS. Now I’ve Suricata IDS alerts in SO as well as in pfSense. In addition to this Suricata in pfSense can do the blocking part using legacy-mode blocking. It means IPS is sorted in pfSense.

If I want to integrate Security onion and pfSense for Suricata IDS/IPS then what would be the best possible solution:

  1. Just forward pfSense remote logs (IPS/IDS) to the SO (using syslog) then have alerts on SO-Kibana and remove Suricata IDS from SO?
  2. Forward Security Onion Suricata IDS alerts to the pfSense using plugins and let pfSense perform only IPS (Blocking) - (sounds weird?)

Kindly share suggestions.

SO just ingests the data so it will not actively block so the solution is to run Suricata on pfsense for the IPS and SO for the more in depth knowledge about the packets.

1 Like