OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Suricata and Pi-Hole
« previous next »
  • Print
Pages: [1]

Author Topic: Suricata and Pi-Hole  (Read 3402 times)

spetrillo

  • Sr. Member
  • ****
  • Posts: 423
  • Karma: 2
    • View Profile
Suricata and Pi-Hole
« on: January 02, 2021, 07:58:53 pm »
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve
Logged

jean.paradis

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Re: Suricata and Pi-Hole
« Reply #1 on: January 04, 2021, 03:35:58 am »
Vous pouvez aller dans alerte et désactiver alerte, mais ceci va désactiver la règle de filtrage.

Sinon essayer de créé une règle pour ignorer dans la section utilisateurs.
Logged
CPU type Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (8 cores)

mayo

  • Jr. Member
  • **
  • Posts: 72
  • Karma: 4
    • View Profile
Re: Suricata and Pi-Hole
« Reply #2 on: January 12, 2021, 07:18:04 pm »
I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.
Quote from: spetrillo on January 02, 2021, 07:58:53 pm
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve
Logged

spetrillo

  • Sr. Member
  • ****
  • Posts: 423
  • Karma: 2
    • View Profile
Re: Suricata and Pi-Hole
« Reply #3 on: January 13, 2021, 05:52:40 pm »
Quote from: mayo on January 12, 2021, 07:18:04 pm
I spetrillo, I have same iussue: Suricata blocks some comunications from/to my pi-hole. Did you configured Suricata for Lan or Wan or both? That's just to know if I did it in right way...
In the meanwhile we wait for someone to help us.
Quote from: spetrillo on January 02, 2021, 07:58:53 pm
Hello all,

I am noticing a number of the following in my Suricata logs:

2021-01-02T12:40:58   suricata[50565]   [1:2027865:2] ET INFO Observed DNS Query to .cloud TLD [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.30.8:35422 -> 192.168.1.1:53   
2021-01-02T10:56:28   suricata[50565]   [1:2030555:1] ET INFO Outbound RRSIG DNS Query Observed [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.30.8:48950

This is related to my Pi-Hole setup. I would like to ignore these but if I disable the alert I fear I am going to miss real issues. If I disable does it mean I just disable for these type or all types of alerts? Can I use a rule to filter these out?

Thanks,
Steve

I have Suricata configured in the screenshot. Both my LAN and WAN interfaces are being monitored. I am in IDS mode. I will not turn on IPS, unless I need to.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Suricata and Pi-Hole
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2