Hi,
I use 16.7.7 and have one special network.
B point 10.87.0.34/30 (gateway)
A point 10.87.0.33/30 (WAN)
Public IP (LAN)
Private IP(NAT)
10.87.0.32/30 and Private IP is outbound nat for LAN Public IP through WAN interface. Public IP is routing through A point WAN to B point gateway. The network traffic is normal. I use IDS and enable ET-TROJAN rules. I try to query qfsl.net and trigger that alert. Only NAT interface is trigger. No alert in WAN and LAN interface.
Hi everfree,
Are the rules fetched/enabled, was the configuration applied afterwards again? Do you see any alerts in non-IPS mode?
I remember an issue with a test setup that did not work because the Suricata rules use $HOME_NET and its inverse to filter for source/destination, but that also prevents alerts from triggering when testing between two private networks.
I don't quite understand the WAN/LAN/NAT setup, can you please explain?
Cheers,
Franco