Suricata - Don't record local traffic
-
Hi
In my pfSense config I have two interfaces bridged together and running Suricata inline.
Home Net shows the correct subnets as being part of it.
However, Suricata still alerts on local traffic (within the Home Net). How can I stop that, so I receive alerts only on traffic between Home Net and External Net and vice versa? -
The Suricata package is not really designed to work in bridge mode. I've never tested it that way as that is a very uncommon arrangement.
-
Thanks for your response, really appreciate it. However, my question is not really about the bridge, my question is why it will flag traffic between different subnets when they are all listed as part of the Home Net.
-
@sr10977 said in Suricata - Don't record local traffic:
Thanks for your response, really appreciate it. However, my question is not really about the bridge, my question is why it will flag traffic between different subnets when they are all listed as part of the Home Net.
That depends on the design of the particular rules that are firing. Many rules use HOME_NET as a source or destination target, but some rules do not. So you will need to get the SID of the alerting rules and then go examine the actual text of the rule to see what its conditions are for being triggered.
Now if you are actually asking about those HOME_NET addresses showing up and being blocked, that is controlled by the contents of the Pass List and not the HOME_NET variable. The default Pass List will contain all of the locally-attached networks, any defined DNS servers, Virtual IPs, VPNs, the WAN interface IP and the default gateway.
So are you asking why you are seeing alerts with HOME_NET hosts, or are you really asking why you are getting blocks from those alerts? You would generally want to see alerts involving your HOME_NET hosts so you can see if anything nefarious is going on.
-
Got you.
Thanks!
