Suricata At Home


This is my first post here. I really appreciate the youtube videos Lawrence Tech provides. They are very informative.

I am running a Netgate PfSense SG-2440 at home. I mostly use PFBlockerNG/DNSBL to block ads, trackers, and other garbage. I used to forward quite a few camera ports, but have wised up and only open port 443 TCP for OpenVPN.

I have watched the Suricata video and was wondering if it makes sense to use it at home. The WAN alert log shows lots of alerts for activity that I believe is already blocked by my firewall rules. Here is a screenshot showing some alerts on my WAN interface. Can I be sure these have been blocked by the firewall if the associated Src Ports are not open?

Thank you,

My thought is if you have ports open and have the horse power and time to fine tune it, why not. I’m curious what others think though.

I don’t bother running it at home as there are too many false positives that I don’t have the time to troubleshoot. Even at our office we don’t run it on all the networks, just the ones where we have our systems and servers.

I am currently running Snort at home using the lowest level of predefined settings which is supposed to minimize false positives. Its not blocking anything yet, I don;'t see too much there in the way of alerts however.,

Truth be told, I’m not sure how much utility it really its since most traffic is https anyway and snort/suricata can’t see into that traffic.