Suricata and Pi-Hole

Started by spetrillo, January 02, 2021, 07:58:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 02, 2021, 07:58:53 PM
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve
January 04, 2021, 03:35:58 AM #1
Vous pouvez aller dans alerte et désactiver alerte, mais ceci va désactiver la règle de filtrage.

Sinon essayer de créé une règle pour ignorer dans la section utilisateurs.
CPU type Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (8 cores)
January 12, 2021, 07:18:04 PM #2
I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.
Quote from: spetrillo on January 02, 2021, 07:58:53 PM
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve
January 13, 2021, 05:52:40 PM #3
Quote from: mayo on January 12, 2021, 07:18:04 PM
I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.
Quote from: spetrillo on January 02, 2021, 07:58:53 PM
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

I have Suricata configured in the screenshot. Both my LAN and WAN interfaces are being monitored. I am in IDS mode. I will not turn on IPS, unless I need to.
Print
Go Up Pages1
User actions