Author Topic: Suricata and Pi-Hole (Read 4545 times)

spetrillo · « **on:** January 02, 2021, 07:58:53 pm »

Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58 suricata[50565] [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53
2021-01-02T10:56:28 suricata[50565] [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

jean.paradis · « **Reply #1 on:** January 04, 2021, 03:35:58 am »

Vous pouvez aller dans alerte et désactiver alerte, mais ceci va désactiver la règle de filtrage.

Sinon essayer de créé une règle pour ignorer dans la section utilisateurs.

mayo · « **Reply #2 on:** January 12, 2021, 07:18:04 pm »

I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.

Quote from: spetrillo on January 02, 2021, 07:58:53 pm

Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58 suricata[50565] [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53
2021-01-02T10:56:28 suricata[50565] [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

spetrillo · « **Reply #3 on:** January 13, 2021, 05:52:40 pm »

Quote from: mayo on January 12, 2021, 07:18:04 pm

I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.
Quote from: spetrillo on January 02, 2021, 07:58:53 pm
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58 suricata[50565] [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53
2021-01-02T10:56:28 suricata[50565] [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

I have Suricata configured in the screenshot. Both my LAN and WAN interfaces are being monitored. I am in IDS mode. I will not turn on IPS, unless I need to.

Author Topic: Suricata and Pi-Hole (Read 4545 times)

spetrillo

Suricata and Pi-Hole

jean.paradis

Re: Suricata and Pi-Hole

mayo

Re: Suricata and Pi-Hole

spetrillo

Re: Suricata and Pi-Hole