Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Home/External Net - HOW do you make the External list???

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    4
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MrPeteM
      MrPete
      last edited by

      In the Suricata UI, Interface configuration includes reference to the Home and External nets as follows:

      • Choose the Home Net you want this interface to use. Default Home Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to hold a list of friendly IPs that the firewall cannot see or to customize the default Home Net.

      • Choose the External Net you want this interface to use.
        External Net is networks that are not Home Net. Most users should leave this setting at default. Create a Pass List and add an Alias to it, and then assign the Pass List here for custom External Net settings.

      The defaults make total sense:

      • Home net has entries such as
        192.168.1.0/24
        192.168.99.0/24
      • External net is simply the negation of the above:
        !192.168.1.0/24
        !102.168.99.0/24

      MY QUESTION
      The instructions for a custom external net make no sense. A "Pass List" is a simple set of IP addresses. It doesn't support negation.

      So how are we actually supposed to generate a custom external list?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You are correct, the new modifications for adding multiple IP addresses or networks to a Pass List do not support negation (a leading "!" character) because the code uses built-in IP address validators that do not expect nor support negation.

        I will have to consider how best to handle that in the future.

        For now this workaround should help. The general idea with $EXTERNAL_NET is that it should be the negative of $HOME_NET. So the default configuration does exactly that. It takes every address from $HOME_NET and puts an exclamation point ("!") in front of the address to indicate negation and assigns those to $EXTERNAL_NET. So in that vein, you can customize $HOME_NET to contain your list of protected addresses, and then leave $EXTERNAL_NET set to "default" and it will automatically become the negative of $HOME_NET.

        It would be rare to have an $EXTERNAL_NET that is not simply a negation of $HOME_NET. All of the commercially available rules are sort of depending on that setup in order to fire correctly.

        Is there a particular reason you want $EXTERNAL_NET to not be a simple negation of $HOME_NET, and thus contain other IP addresses?

        MrPeteM 1 Reply Last reply Reply Quote 1
        • MrPeteM
          MrPete @bmeeks
          last edited by

          @bmeeks THANKS!

          I do want it to be an exact negation.
          HAH. THANK YOU.
          Bad assumption on my part (I assumed "default" meant "default Home Net" in both places!)

          Simple suggestion: modify the External Net dropdown... something like:
          from: "default"
          to: "default: negate selected Home Net"

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @MrPete
            last edited by

            @mrpete said in Suricata Home/External Net - HOW do you make the External list???:

            @bmeeks THANKS!

            I do want it to be an exact negation.
            HAH. THANK YOU.
            Bad assumption on my part (I assumed "default" meant "default Home Net" in both places!)

            Simple suggestion: modify the External Net dropdown... something like:
            from: "default"
            to: "default: negate selected Home Net"

            Just to be clear, when you set it to "default" that does in fact result in EXTERNAL_NET being an exact one-for-one negation of each entry in HOME_NET. So if you customize HOME_NET to something else other than the default values, then EXTERNAL_NET will follow automatically so long as it remains set for "default". But I can do a better job of explaining that in the help note underneath the drop-down selector.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post