Exclude IP's In suricata



  • Hi,

    We setup the suricata under the LAN interface, but within this LAN interface i wanted to exclude some IP's which fall under Management group can anyone suggest how to get this done.



  • Enable IP reputation and create a white list is one way.  Another is to use the Pass List feature, but this only works when using legacy mode blocking.  The Pass List is not used when Suricata is run with inline IPS mode enabled.

    Bill



  • Hi all,
    Bill, do you mean we'd have to :

    • in IP Lists, create 2 files (one for categories definition, another for IPs related to categories)
    • go to interface IP Rep, enable IP rep, and fill both previous files in "assign categories file" and "assign IP Reputation Lists"
    • finally, we must create a custom rule with a "pass" action to really have a "whitelist" effect, true ?
      That's this latest step I did not manage to figure out.  :o
      Is it the right process when you say we have to enable IP Rep for whitelists in Suricata ?
      Seems to be be a little bit tricky, just for a whitelist, isn't it ?  ;)
      Thanks
      Pierre


  • @bmeeks:

    Enable IP reputation and create a white list is one way.  Another is to use the Pass List feature, but this only works when using legacy mode blocking.  The Pass List is not used when Suricata is run with inline IPS mode enabled.

    Bill

    Could you please provide us the step-by-step instructions how to whitelist in Inline mode Suricata?

    Thank you!



  • Hi,
    Also have the problem using Inline mode, drop list (to block traffic) and suppress list (to remove certain kind of drops) : everything is blocked, whereas the suppress list should bypass alerts and drops.
    Works fine in legacy mode.



  • mind12 – did you ever figure out a whitelist?

    I noticed none of the existing rules I have include the "iprep" keyword.
    http://suricata.readthedocs.io/en/latest/reputation/ipreputation/ip-reputation.html

    I also looked into the -F command line option but it appears there isn't a way to modify the command line



  • Hi,

    I haven't tried it yet.
    Bmeeks pointed out in this topic that you should create a custom pass rule for your whitelisted IP addresses because in Inline mode passlist isn't working.
    Check this topic: https://forum.pfsense.org/index.php?topic=135331.0

    Pass rule example:

    pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1000001;)
    

    Rule wiki: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules


Log in to reply