Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
single bypass
« previous
next »
Print
Pages: [
1
]
Author
Topic: single bypass (Read 1768 times)
bazbaz
Jr. Member
Posts: 53
Karma: 2
single bypass
«
on:
October 26, 2023, 09:50:53 am »
Hi,
I cannot find the right way to bypass some specific IP regard some rule.
For example, I have a SIP server (a PBX) and a suricata rule is blocking IPs when there are many failed SIP accesses from it. This is ok, but I need to whitelist my remote IP to avoid that a single misconfigured phone causes a block for all the remote site accessing the PBX.
How can I do this?
The only way I found seems to be create a "user defined rule" adding the remote IP and flagging as bypass. But this will bypass every rule for that IP.
I was used, in PfSense+suricata, to add a single alert to the suppress list with a click on the alert row. Is there some way to perform this?
thanks
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: single bypass
«
Reply #1 on:
October 27, 2023, 10:40:05 am »
From what I know is that you can only bypass a single IP (which you have found out already), or turn off a rule completely in "Policy, Rule adjustments". That's the GUI options.
I know though that in the shell there is a configuration file imported for user added rules, so you could add your own suricata rule for that IP that skips a specific SID... I think.
Now I wonder if I could add a SID field into the GUI of to the user defined bypass rules. I will check that sometime.
«
Last Edit: October 27, 2023, 10:49:21 am by Monviech
»
Logged
Hardware:
DEC740
bazbaz
Jr. Member
Posts: 53
Karma: 2
Re: single bypass
«
Reply #2 on:
October 27, 2023, 11:56:41 am »
I think that the best will be a command in the alerts table, when I can add with a click a user defined rule that will bypass the source IP, or the destination one, related to that SID rule.
BTW trying to do that manually, I cannot understand if it is right how I can see this in alerts table:
2023-10-27T10:45:31.151289+0200 2003194 allowed <INTLAN> <INTIPAFTERNAT> 5060 <REMOTEHOSTIP> 39983 ET VOIP Multiple Unauthorized SIP Responses TCP
It reports that REMOTEHOSTIP has received multiple "unauthorized SIP access" responses from my PBX. This is clear, but the "attacker" is REMOTEHOSTIP (the "destination" in the table) non INTIPAFTERNAT (the "source" in the table, my PBX internal IP).
I konw that there is some misconfigured phone in remote site, but I know who REMOTEHOSTIP is and i'ts ok, so I need to allow it. I think I need to allow REMOTEHOSTIP as destination, not as source, and this is not intuitive. Is this right?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
single bypass