Proposed config change for Suricata

Started by SecAficionado, February 10, 2019, 05:22:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 10, 2019, 05:22:50 PM
Hello,

I was experiencing the same issue as is discussed in this post https://github.com/NethServer/dev/issues/5152, which says that unless the WAN IP address(es) is(are) in the Home Networks list, a number of Suricata rules won't fire.

To replicate it, I followed these steps:

  • Created a new fingerprint rule in Services/Intrusion Detection/Administration/User defined
  • The rule is an Alert with all the fields left blank and set to Alert, which should show all traffic passing through
  • Hit Apply
I did not get any alerts from Suricata.

Then, I added my WAN interface IP address to Services/Intrusion Detection/Administration/Settings in the Home Networks field. I should say that Suricata was configured to look at LAN and WAN. Immediately after pressing Apply, I saw a flood of alerts, as I had expected before. I disabled the test Alert fingerprint rule and I started seeing blocked connections that were simply passing through before without firing any alerts.

The proposed change is to Add the WAN IP address to Home Networks when the WAN network is selected in the corresponding drop down. It might even make sense to enable it by default.

Thanks!
Print
Go Up Pages1
User actions