Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Proposed config change for Suricata
« previous
next »
Print
Pages: [
1
]
Author
Topic: Proposed config change for Suricata (Read 3025 times)
SecAficionado
Newbie
Posts: 42
Karma: 4
Proposed config change for Suricata
«
on:
February 10, 2019, 05:22:50 pm »
Hello,
I was experiencing the same issue as is discussed in this post
https://github.com/NethServer/dev/issues/5152
, which says that unless the WAN IP address(es) is(are) in the Home Networks list, a number of Suricata rules won't fire.
To replicate it, I followed these steps:
Created a new fingerprint rule in Services/Intrusion Detection/Administration/User defined
The rule is an Alert with all the fields left blank and set to Alert, which should show all traffic passing through
Hit Apply
I did not get any alerts from Suricata.
Then, I added my WAN interface IP address to Services/Intrusion Detection/Administration/Settings in the Home Networks field. I should say that Suricata was configured to look at LAN and WAN. Immediately after pressing Apply, I saw a flood of alerts, as I had expected before. I disabled the test Alert fingerprint rule and I started seeing blocked connections that were simply passing through before without firing any alerts.
The proposed change is to Add the WAN IP address to Home Networks when the WAN network is selected in the corresponding drop down. It might even make sense to enable it by default.
Thanks!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Proposed config change for Suricata