Hi,
I would like to exclude a device from getting inspected.
I try to achieve this through a user defined setting that lets the device IP pass the CIDR of my LAN and ticked the bypass box.
However when in IPS mode – and only when in IPS mode – the device 'complains' and has network issues (it is actually my son that complains because it is his playstation and it`s lagging like crazy with IPS on).
Any idea how to troubleshoot?
Suricata version: latest built-in OPNsense 25.1.1
Interface: LAN
Pattern Matcher: Hyperscan
Hardware: Intel n100, 8GB RAM
No idea, anyone?
You can try setting a specific pass rule for PlayStation IP at the top of the rules list, and make sure it's set to not use inspection — sometimes the user-defined settings don't override properly in IPS mode.
If you didn't figure it out, this might help
You can create your own rules file, put namedfile.rules in /usr/local/etc/suricata/
You might add a rule like:
pass ip 10.10.10.2 any -> 10.10.10.3 any (msg:"Rule for Bypass Example 01"; bypass; sid:1000001; rev:1;)
If you edit the "installed_rules.yaml" file in the /usr/local/etc/suricata/ folder you can add your rules file to the list of "rule-files:"
There are other methods to do this, I believe you can using the GUI also setup bypass rules for hosts.