OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • single bypass
« previous next »
  • Print
Pages: [1]

Author Topic: single bypass  (Read 1767 times)

bazbaz

  • Jr. Member
  • **
  • Posts: 53
  • Karma: 2
    • View Profile
single bypass
« on: October 26, 2023, 09:50:53 am »
Hi,
I cannot find the right way to bypass some specific IP regard some rule.
For example, I have a SIP server (a PBX) and a suricata rule is blocking IPs when there are many failed SIP accesses from it. This is ok, but I need to whitelist my remote IP to avoid that a single misconfigured phone causes a block for all the remote site accessing the PBX.

How can I do this?
The only way I found seems to be create a "user defined rule" adding the remote IP and flagging as bypass. But this will bypass every rule for that IP.
I was used, in PfSense+suricata, to add a single alert to the suppress list with a click on the alert row. Is there some way to perform this?

thanks
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1600
  • Karma: 176
    • View Profile
Re: single bypass
« Reply #1 on: October 27, 2023, 10:40:05 am »
From what I know is that you can only bypass a single IP (which you have found out already), or turn off a rule completely in "Policy, Rule adjustments". That's the GUI options.

I know though that in the shell there is a configuration file imported for user added rules, so you could add your own suricata rule for that IP that skips a specific SID... I think.

Now I wonder if I could add a SID field into the GUI of to the user defined bypass rules. I will check that sometime.
« Last Edit: October 27, 2023, 10:49:21 am by Monviech »
Logged
Hardware:
DEC740

bazbaz

  • Jr. Member
  • **
  • Posts: 53
  • Karma: 2
    • View Profile
Re: single bypass
« Reply #2 on: October 27, 2023, 11:56:41 am »
I think that the best will be a command in the alerts table, when I can add with a click a user defined rule that will bypass the source IP, or the destination one, related to that SID rule.

BTW trying to do that manually, I cannot understand if it is right how I can see this in alerts table:
2023-10-27T10:45:31.151289+0200   2003194   allowed   <INTLAN>   <INTIPAFTERNAT>   5060   <REMOTEHOSTIP>   39983   ET VOIP Multiple Unauthorized SIP Responses TCP

It reports that REMOTEHOSTIP has received multiple "unauthorized SIP access" responses from my PBX. This is clear, but the "attacker" is REMOTEHOSTIP (the "destination" in the table) non INTIPAFTERNAT (the "source" in the table, my PBX internal IP).
I konw that there is some misconfigured phone in remote site, but I know who REMOTEHOSTIP is and i'ts ok, so I need to allow it. I think I need to allow REMOTEHOSTIP as destination, not as source, and this is not intuitive. Is this right?


Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • single bypass
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2