I am running dual-stack ipv4/6 & have suricata IDS enabled on lan only
I am using all the ET telemetry rules, plus most of the abuse.ch ones.
As I observe them I am disabling a few select rules, but so far almost all the alerts I see relate to IPv4 traffic. There's the odd report of a dodgy multicast address with ipv6, but that's all.
This includes rules that just alert lookups against a certain domain -- and I know for a fact over half, perhaps 2/3 of my dns lookups are over ipv6 - so why are only the ipv4 references hit.
I presume this is a deficiency in the rules -- not much I can do about that, but also want to rule out configuration issues.
Any suggestions?
Ok, I figured it out. I looked in the et-telemetry rules and since they use HOME_NET a lot, realised that I needed to add my IPv6 prefix (or LAN config) into the value HOME_NET that suricata uses (under advanced settings).
With this done, Suricata is now detecting IPv6 traffic too :-)
One question though - if I changed ISP in future, or my isp changes policy, I'd need to update this config with the prefix.
Is there any option built-in to opnsense that would automatically pick up the prefix? Or would it be a case of manual scripting? Are there appropriate events to trigger off to make the config change?
Seems like it needs a HOME_NET6 or something that tags HOME_NET with an ipv6 value. It may be in there, but this is still like black magic to me and I need to dig way deeper.
I just needed to add the right ipv6 CIDR into HOME_NET :-)
For now I've added my entire prefix (/48). I could add just the LAN prefix (/64)
Though the question remains as to if this could be added automatically.