pfsense + Suricata + Security Onion

[Jackson-Pollock]

Hi,

I was using Suricata in Security Onion to get IDS alerts and since SO does not support Suricata IPS I started exploring pfSense Suricata IDS/IPS. Now I've Suricata IDS alerts in SO as well as in pfSense. In addition to this Suricata in pfSense can do the blocking part using legacy-mode blocking. It means IPS is sorted in pfSense.

If I want to integrate Security onion and pfSense for Suricata IDS/IPS then what would be the best possible solution:

1. Just forward pfSense remote logs (IPS/IDS) to the SO then have alerts on SO-Kibana and remove Suricata IDS from SO?
2. Forward SO Suricata IDS alerts to the pfSense using plugins and let pfSense perform only IPS (Blocking) - (sounds weird?)

Kindly share suggestions.

[Jackson-Pollock]

This is answered in forums
https://forum.netgate.com/topic/170831/suricata-ips/5
https://forum.suricata.io/t/pfsense-suricata-security-onion/2321