OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: SecAficionado on February 10, 2019, 05:22:50 pm

Title: Proposed config change for Suricata
Post by: SecAficionado on February 10, 2019, 05:22:50 pm

I was experiencing the same issue as is discussed in this post https://github.com/NethServer/dev/issues/5152, which says that unless the WAN IP address(es) is(are) in the Home Networks list, a number of Suricata rules won't fire.

To replicate it, I followed these steps:
I did not get any alerts from Suricata.

Then, I added my WAN interface IP address to Services/Intrusion Detection/Administration/Settings in the Home Networks field. I should say that Suricata was configured to look at LAN and WAN. Immediately after pressing Apply, I saw a flood of alerts, as I had expected before. I disabled the test Alert fingerprint rule and I started seeing blocked connections that were simply passing through before without firing any alerts.

The proposed change is to Add the WAN IP address to Home Networks when the WAN network is selected in the corresponding drop down. It might even make sense to enable it by default.