Suricata Home/External Net - HOW do you make the External list???
-
In the Suricata UI, Interface configuration includes reference to the Home and External nets as follows:
-
Choose the Home Net you want this interface to use. Default Home Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to hold a list of friendly IPs that the firewall cannot see or to customize the default Home Net.
-
Choose the External Net you want this interface to use.
External Net is networks that are not Home Net. Most users should leave this setting at default. Create a Pass List and add an Alias to it, and then assign the Pass List here for custom External Net settings.
The defaults make total sense:
- Home net has entries such as
192.168.1.0/24
192.168.99.0/24 - External net is simply the negation of the above:
!192.168.1.0/24
!102.168.99.0/24
MY QUESTION
The instructions for a custom external net make no sense. A "Pass List" is a simple set of IP addresses. It doesn't support negation.So how are we actually supposed to generate a custom external list?
-
-
You are correct, the new modifications for adding multiple IP addresses or networks to a Pass List do not support negation (a leading "!" character) because the code uses built-in IP address validators that do not expect nor support negation.
I will have to consider how best to handle that in the future.
For now this workaround should help. The general idea with $EXTERNAL_NET is that it should be the negative of $HOME_NET. So the default configuration does exactly that. It takes every address from $HOME_NET and puts an exclamation point ("!") in front of the address to indicate negation and assigns those to $EXTERNAL_NET. So in that vein, you can customize $HOME_NET to contain your list of protected addresses, and then leave $EXTERNAL_NET set to "default" and it will automatically become the negative of $HOME_NET.
It would be rare to have an $EXTERNAL_NET that is not simply a negation of $HOME_NET. All of the commercially available rules are sort of depending on that setup in order to fire correctly.
Is there a particular reason you want $EXTERNAL_NET to not be a simple negation of $HOME_NET, and thus contain other IP addresses?
-
@bmeeks THANKS!
I do want it to be an exact negation.
HAH. THANK YOU.
Bad assumption on my part (I assumed "default" meant "default Home Net" in both places!)Simple suggestion: modify the External Net dropdown... something like:
from: "default"
to: "default: negate selected Home Net" -
@mrpete said in Suricata Home/External Net - HOW do you make the External list???:
@bmeeks THANKS!
I do want it to be an exact negation.
HAH. THANK YOU.
Bad assumption on my part (I assumed "default" meant "default Home Net" in both places!)Simple suggestion: modify the External Net dropdown... something like:
from: "default"
to: "default: negate selected Home Net"Just to be clear, when you set it to "default" that does in fact result in EXTERNAL_NET being an exact one-for-one negation of each entry in HOME_NET. So if you customize HOME_NET to something else other than the default values, then EXTERNAL_NET will follow automatically so long as it remains set for "default". But I can do a better job of explaining that in the help note underneath the drop-down selector.
