Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Inline add supress with dynamic IP

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 727 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SoloamS
      Soloam
      last edited by

      I have suricata set as supress rule, I have this suppression:

      #ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
      suppress gen_id 1, sig_id 2016149, track by_dst, ip 51.159.156.37

      This ip is the ip from syncthing STUN server, and I' allowing this rule because I use syncthing. But I would like to keep this rule active in alert mode to any other connection to a STUN server that not this one.

      The proble is that some day this IP can change, but the dns will not change "stun.syncthing.net". Can I add this ip via a Alias? So that the suppressin rule changes if the ip changes?

      Thank you

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        No. Aliases are not supported by Suricata in Suppress Lists. This is a limitation in the binary. Those lists are not "dynamic". They are loaded and parsed only once at startup.

        SoloamS 1 Reply Last reply Reply Quote 0
        • SoloamS
          Soloam @bmeeks
          last edited by

          @bmeeks said in Suricata Inline add supress with dynamic IP:

          No. Aliases are not supported by Suricata in Suppress Lists. This is a limitation in the binary. Those lists are not "dynamic". They are loaded and parsed only once at startup.

          Tks for the replay and all your work on this!

          Is there a way to do this? Can I do it for exemple with "Modify SID List"? Can they have external alias?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Soloam
            last edited by

            @Soloam said in Suricata Inline add supress with dynamic IP:

            @bmeeks said in Suricata Inline add supress with dynamic IP:

            No. Aliases are not supported by Suricata in Suppress Lists. This is a limitation in the binary. Those lists are not "dynamic". They are loaded and parsed only once at startup.

            Tks for the replay and all your work on this!

            Is there a way to do this? Can I do it for exemple with "Modify SID List"? Can they have external alias?

            No, you can't use firewall aliases in the Suricata rules. The binary that performs the actual work is completely unaware of things pfSense. It simply reads the addresses directly from the suricata.yaml file for the interface and runs using those. What you interact with in the GUI is just PHP code that creates the text-based suricata.yaml conf file for the Suricata instance. Then, when the binary Suricata service is started, it reads that conf file just once and uses the values stored there.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.