Suricata IDS not working with NordVPN connected

Question

I configured suricata.yaml file to detect intrusion in any interface and it works well without NordVPN.

When I test Suricata by visiting:

curl http://testmynids.org/uid/index.html

Result of sudo tail /var/log/suricata/fast.log | grep 2100498:

08/14/2023-22:28:35.580451  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 64.12.213.57:80 -> 192.168.15.17:3354

However, when I connect to NordVPN (nordvpn connect us-ca55) the test traffic is not being detected.

Any ideas on how to properly set up the yaml config file? My intuition tells me it is just one or two lines of code, but I can't find where.

I used ip a to find the interfaces, tried 3 of them, also any but is not detecting the test traffic with the VPN connected.

I'm using Ubuntu 22.04.

I think you are missing some details here. For instance, "when I connect NordVPN" -- how are you doing that? Why do you think that this is a suricata issue and not a basic networking issue? — schroeder, Commented Aug 15, 2023 at 8:00
I'm connecting NordVPN via CLI. In fact I don't know if it is really a suricata config issue. The point is when I connect the VPN, suricata does not log the test traffic. I don't know how the VPN tunnel works in the interface. — razimbres, Commented Aug 15, 2023 at 15:39
... and what command do you use? Do you get a new interface when you run it? — schroeder, Commented Aug 15, 2023 at 16:05
nordvpn connect us-ca55 in the CLI, no interface is created, it just tell me You are connected to Canada - United States #66 (ca-us66.nordvpn.com)!. — razimbres, Commented Aug 15, 2023 at 16:50
Probably because you are telling Suricata to listen to a physical interface, and NordVPN creates a virtual interface. — ThoriumBR, Commented Aug 15, 2023 at 20:38

razimbres · Accepted Answer · 2023-08-15 22:19:27Z

0

I solved the problem. The problem was at ports used by NordVPN and interface.

These lines of code in suricata.yaml solved the problem:

port-groups:

FILE_DATA_PORTS: "[$HTTP_PORTS,110,143,443,51820]"
TCP_PORTS: "[1723,1701]"
UDP_PORTS: "[500,4500,1194]"

interface: nordlynx

answered Aug 15, 2023 at 22:19

razimbres

1012 bronze badges

Add a comment |

Stack Exchange Network

Suricata IDS not working with NordVPN connected

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
vpn
suricata
.

Hot Network Questions

Suricata IDS not working with NordVPN connected

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged vpnsuricata.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
vpn
suricata
.