OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: spetrillo on January 02, 2021, 07:58:53 pm

Title: Suricata and Pi-Hole
Post by: spetrillo on January 02, 2021, 07:58:53 pm

Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

Title: Re: Suricata and Pi-Hole
Post by: jean.paradis on January 04, 2021, 03:35:58 am

Vous pouvez aller dans alerte et désactiver alerte, mais ceci va désactiver la règle de filtrage.

Sinon essayer de créé une règle pour ignorer dans la section utilisateurs.

Title: Re: Suricata and Pi-Hole
Post by: mayo on January 12, 2021, 07:18:04 pm

I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.

Quote from: spetrillo on January 02, 2021, 07:58:53 pm

Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

Title: Re: Suricata and Pi-Hole
Post by: spetrillo on January 13, 2021, 05:52:40 pm

Quote from: mayo on January 12, 2021, 07:18:04 pm

I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.

Quote from: spetrillo on January 02, 2021, 07:58:53 pm

Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

I have Suricata configured in the screenshot. Both my LAN and WAN interfaces are being monitored. I am in IDS mode. I will not turn on IPS, unless I need to.