Suricata - How to apply different blocking rules per subnet?
-
I am running pfsense 2.7.2 with all the latest patches on a pc with Intel i5-4570 CPU, 32 Gb of RAM, Supermicro AOC SGP-i4 4 port 1 GBe card and 2 1Gbe 1 port cards.
I have configured pfSense to have multiple VLANs on LAN and separate subnets on OPT1 to OPT5.
I am trying to better understand how Suricata has been implemented.
I have setup separate Suricata interface rules for each VLAN and subnet.
I believe that I am seeing Suricata implement the same blocking rules across all VLANs and subnets. What I want it to do is implement independent blocking rules for each VLAN and subnet.
Is this possible with the current implementation?
Regards.
-
@pslinn Suricata works at a low level so cannot distinguish VLANs from their parent interface. Just run one instance on each parent. I'm afraid there isn't a way to run separate instances.
-
@SteveITS Thanks
-
Suricata by default places the physical interface in promiscuous mode, so all traffic traversing the physical interface is seen by all Suricata instances running on the physical interface. That means there is no benefit to creating separate Suricata instances for each VLAN, because a single instance will see the traffic from all VLANs.
You can, to a limited extent, tailor how a given Suricata instance responds to traffic by using customized HOME_NET and/or EXTERNAL_NET variables and making sure all the rules you are enabling use the $HOME_NET and $EXTERNAL_NET conditionals in the rule text.
