Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata on pfSense: Custom HOME_NET via Pass List not matching traffic

    Scheduled Pinned Locked Moved webGUI
    1 Posts 1 Posters 33 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Online
      radian
      last edited by

      Re: Suricata cannot change HOME NET list?

      I am trying to customize HOME_NET for Suricata on pfSense CE and something seems inconsistent between the GUI and the actual rule evaluation.

      What I did (following the recommended procedure from this thread):

      Created an alias SURICATA_HOME_NET containing:

      10.0.10.0/24

10.0.20.0/24

10.0.30.0/24

10.0.40.0/24

192.168.200.200/32 (WAN IP of the firewall)

      Created a Pass List, added that alias at the bottom, saved it.

      In Suricata → Interface Settings (WAN), in “Networks Suricata Should Inspect and Protect”, I selected this Pass List as HOME_NET, saved and restarted Suricata.

      In the WAN interface I can see via “View HOME_NET” that 192.168.200.200/32 is indeed listed as part of HOME_NET, and EXTERNAL_NET looks correct as !HOME_NET.

      I added the following two custom rules to custom.rules on the WAN interface:

      alert tcp any any -> $HOME_NET 1:1024 (msg:"LAB T1046 SYN to HOME_NET"; flags:S; sid:4000001; rev:4;)
alert tcp any any -> 192.168.200.200 1:1024 (msg:"LAB T1046 SYN to WAN"; flags:S; sid:3999999; rev:3;)

      After Save + Apply + restart of Suricata on WAN, I run:

      nmap -sS -Pn -p1-1024 192.168.200.200

      Result:

      • list itemThe rule with the literal IP (sid:3999999) triggers alerts as expected.
      • The rule using $HOME_NET (sid:4000001) never fires, even though 192.168.200.200/32 is clearly shown in the HOME_NET list in the GUI.

      At the same time, a very simple test rule:

      alert icmp any any -> any any (msg:"LAB TEST ICMP ANY"; sid:4999999; rev:1;)

      does fire normally on the same interface, so custom.rules is loaded and working.

      So the situation is:

      • custom rules are loaded and working,
      • HOME_NET/EXTERNAL_NET Pass List is configured and visible in “View HOME_NET”,
      • traffic definitely hits the WAN interface (the static-IP rule sees it),
      • but rules using $HOME_NET as destination do not match that same traffic.

      Is this a known issue or am I misunderstanding how HOME_NET from a Pass List is applied internally? Any hints how to debug why $HOME_NET does not seem to include 192.168.200.200/32 at rule evaluation time, even though the GUI says it does?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.