I was using Suricata in Security Onion to get IDS alerts and since SO does not support Suricata IPS I started exploring pfSense Suricata IDS/IPS. Now I’ve Suricata IDS alerts in SO as well as in pfSense. In addition to this Suricata in pfSense can do the blocking part using legacy-mode blocking. It means IPS is sorted in pfSense.
If I want to integrate Security onion and pfSense for Suricata IDS/IPS then what would be the best possible solution:
- Just forward pfSense remote logs (IPS/IDS) to the SO then have alerts on SO-Kibana and remove Suricata IDS from SO?
- Forward SO Suricata IDS alerts to the pfSense using plugins and let pfSense perform only IPS (Blocking) - (sounds weird?)
Kindly share suggestions.
I think I also responded to your question (or else one very similar) over on the pfSense forum.
To answer it here as well for any others who stumble upon this thread –
The solution I would recommend is to forward the Suricata logs over to Security Onion and let SO be your SIEM. The pfSense firewall distro is optimized for firewalling. It is not suited for hosting fancy log analysis tools. That stuff is better handled on a separate box.
You can easily forward syslog data over to SO within pfSense. You could also install the filebeat client package from FreeBSD 12.3 STABLE onto pfSense and use that to forward the EVE JSON logs from Suricata on pfSense over to SO for processing in Kibana.
There is no method within pfSense or Suricata on pfSense to support your option #2 (sending SO IDS alerts back over to pfSense). And to be honest, that really makes no sense because all of that blocking functionality (and more) already exists within Suricata on pfSense.