Suricata on 1 port

is it possible to have suricata scanning traffic on a single port?

i’m running pfsense 2.6 with the latest version of suricata.
I have suricata scanning the LAN side since pfsense is automatically closed off to incoming wan connections.

i have plex set up on my nas with upnp enabled on my pfsense fw. as you probably already know, plex uses port 32400, so now i have that open to the world.

is it possible to have suricata scanning just that port on the wan side so i’m not wasting cpu cycles and filling logs on all the noise of the entire WAN port.

Thanks!

I don’t think you can use Suricata on just one port.

1 Like

am i over-thinking it all? should i bother turning it on the wan side as well or am i really no less secure than i was before? i’m a novice to all this stuff, so…

thanks for your time!

I would just have it scan the wan for a while, this brings up alerts that you can then bypass. Then turn blocking on after you stop some of the “false” alerts. You’ll still need to monitor fairly often to stop it from blocking things you need and know are OK.

Alternate would be to put Plex on it’s own vlan, then you could scan that vlan and not mess with the rest of the traffic on your normal lan.

ya know?.. that’s actually a REALLY good idea (putting it on it’s own vlan)…

i’m not worried about scanning everything that comes through, that’s the whole point of it… but as Tom pointed out in his suricata video (from which i’ve learned a FRIGGIN’ TON!, thank you Tom), all ports on the wan are closed so there’s no point in running suricata on the wan side because it’ll just generate a whole bunch of meaningless noise… unless i’m opening up ports for services… which, while i’m not hosting anything per se, i do have a plex server set up and several rokus from family’s homes are pulling media from it… so nothing inbound like vpn traffic, but video is streaming outbound and i do remote into the plex.tv web interface…

i have more than enough processing power running pfsense so scanning the WAN isn’t an issue. just wondering if there’s a point to it.

Thanks!

I’ll disagree about running it on the WAN side, not all attacks happen from the outside. Suricata will block traffic from the inside out too, so if you get a bug, and it tries to call out, it may get intercepted and blocked so it can’t download it’s payload. Performance in this direction depends on a lot of things, but it might just save you in the end.

That said, yes there is a bunch of messing around with the rules (especially free rules) that you need to do. The Emerging Threats free list gets a lot of “false” positives, in quotes because they can be used for attacks but probably just noise on the line. Things like ack out of time and 3 way handshake are pretty common to see. I don’t see the free Snort rules catching too many things, they may be way less sensitive and ET grabs things first.

Also be aware that if you are in certain countries, ET may block all your traffic. Certain IP ranges have a low reputation and get blocked without even looking at the traffic. If you live in one of these areas, it might be trouble.