virtually no ipv6 hits

Started by planetf1, May 27, 2024, 10:39:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 27, 2024, 10:39:10 PM
I am running dual-stack ipv4/6 & have suricata IDS enabled on lan only
I am using all the ET telemetry rules, plus most of the abuse.ch ones.

As I observe them I am disabling a few select rules, but so far almost all the alerts I see relate to IPv4 traffic. There's the odd report of a dodgy multicast address with ipv6, but that's all.

This includes rules that just alert lookups against a certain domain -- and I know for a fact over half, perhaps 2/3 of my dns lookups are over ipv6 - so why are only the ipv4 references hit.

I presume this is a deficiency in the rules -- not much I can do about that, but also want to rule out configuration issues.

Any suggestions?
May 28, 2024, 10:07:17 AM #1
Ok, I figured it out. I looked in the et-telemetry rules and since they use HOME_NET a lot, realised that I needed to add my IPv6 prefix (or LAN config) into the value HOME_NET that suricata uses (under advanced settings).

With this done, Suricata is now detecting IPv6 traffic too :-)

One question though - if I changed ISP in future, or my isp changes policy, I'd need to update this config with the prefix.

Is there any option built-in to opnsense that would automatically pick up the prefix? Or would it be a case of manual scripting? Are there appropriate events to trigger off to make the config change?
May 28, 2024, 03:41:26 PM #2
Seems like it needs a HOME_NET6 or something that tags HOME_NET with an ipv6 value. It may be in there, but this is still like black magic to me and I need to dig way deeper.
May 28, 2024, 07:55:52 PM #3
I just needed to add the right ipv6 CIDR into HOME_NET :-)
For now I've added my entire prefix (/48). I could add just the LAN prefix (/64)

Though the question remains as to if this could be added automatically.
Print
Go Up Pages1
User actions