Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Permit QUIC

    Scheduled Pinned Locked Moved
    pfSense Packages
    suricata quic
    4
    6
    107
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • focaccioF
      focaccio
      last edited by

      What is a good way to have suricata not block and QUIC?

      focaccioF 1 Reply Last reply Reply Quote 0
      • focaccioF
        focaccio @focaccio
        last edited by

        @focaccio suricata-quic-blocks-20241111A.JPG

        Bob.DigB 1 Reply Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8 @focaccio
          last edited by

          @focaccio Only block what you want and don't block everything.

          focaccioF 1 Reply Last reply Reply Quote 0
          • focaccioF
            focaccio @Bob.Dig
            last edited by

            @Bob-Dig i can see that approach, since QUIC is encapsulated in UDP maybe there is no easy way to permit all QUIC? but with deep inspection one would think it could be possible. also maybe a permit any udp on port 443 would work also?

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @focaccio
              last edited by

              @focaccio You can disable individual rules from the Alerts tab or rules lists.

              I don't know what "failed decrypt" means, AFAIK Suricata can't inspect any encrypted traffic.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                That alert is coming from the built-in QUIC-events rules that ship with the Suricata binary.

                The events rules are simply informational in nature and don't indicate any malware or other compromise. I suggest disabling that rule or else using the "suppress by SID" feature on the ALERTS tab to prevent the alert the resulting block of a host.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post