Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: bazbaz on October 26, 2023, 09:50:53 AM

Title: single bypass
Post by: bazbaz on October 26, 2023, 09:50:53 AM
Hi,
I cannot find the right way to bypass some specific IP regard some rule.
For example, I have a SIP server (a PBX) and a suricata rule is blocking IPs when there are many failed SIP accesses from it. This is ok, but I need to whitelist my remote IP to avoid that a single misconfigured phone causes a block for all the remote site accessing the PBX.

How can I do this?
The only way I found seems to be create a "user defined rule" adding the remote IP and flagging as bypass. But this will bypass every rule for that IP.
I was used, in PfSense+suricata, to add a single alert to the suppress list with a click on the alert row. Is there some way to perform this?

thanks
Title: Re: single bypass
Post by: Monviech (Cedrik) on October 27, 2023, 10:40:05 AM
From what I know is that you can only bypass a single IP (which you have found out already), or turn off a rule completely in "Policy, Rule adjustments". That's the GUI options.

I know though that in the shell there is a configuration file imported for user added rules, so you could add your own suricata rule for that IP that skips a specific SID... I think.

Now I wonder if I could add a SID field into the GUI of to the user defined bypass rules. I will check that sometime.
Title: Re: single bypass
Post by: bazbaz on October 27, 2023, 11:56:41 AM
I think that the best will be a command in the alerts table, when I can add with a click a user defined rule that will bypass the source IP, or the destination one, related to that SID rule.

BTW trying to do that manually, I cannot understand if it is right how I can see this in alerts table:
2023-10-27T10:45:31.151289+0200   2003194   allowed   <INTLAN>   <INTIPAFTERNAT>   5060   <REMOTEHOSTIP>   39983   ET VOIP Multiple Unauthorized SIP Responses TCP

It reports that REMOTEHOSTIP has received multiple "unauthorized SIP access" responses from my PBX. This is clear, but the "attacker" is REMOTEHOSTIP (the "destination" in the table) non INTIPAFTERNAT (the "source" in the table, my PBX internal IP).
I konw that there is some misconfigured phone in remote site, but I know who REMOTEHOSTIP is and i'ts ok, so I need to allow it. I think I need to allow REMOTEHOSTIP as destination, not as source, and this is not intuitive. Is this right?


Text only | Text with Images