Suricata - how to solve block from intern lan

sunghost

Hi,
i am new with ids and suricata. I use the free community rules and my problem is, that one connection to my external host will blocked, as soon i run each minute remote ssh checks from intern to extern (ET SCAN Potential SSH Scan OUTBOUND).

Second block from intern to the same host is ET POLICY Http Client Body contains passwd= in cleartext . this is because of login to a website on this host.

My question is how to solve this on a common way, whithout creating a security hole?
thx

mcentirefj

If I'm understanding your question right, then there are two solutions that I know of.

You can either use suppression to suppress the alerts by source, destination or just suppress the whole alert. https://doc.pfsense.org/index.php/Snort_alerts

Or you can add whatever hosts you don't want getting blocked to a Pass List. https://doc.pfsense.org/index.php/Snort_passlist

The links refer to Snort, but suricata is configured the same way.

sunghost

Hi,
ok thats what i found out too. But i understand the option of supress alerts bei only delete them from the alert list, but the action will further more taken and block this host. Am i right? The possibility to add the whole host to the Pass List is like to use a hammer because pfsense will never check for any kind of attack, right? I think the best way could be to deactivate only certain checks for this host. But i dont know if that is possible.

So my situation actualy consists of 2 problems.
1. i check my external webserver from one client from my lan ever minute. suricata detect this and block the connection to the ip-adress to the external.
Result, i could not reach any service at the external from intern.

2. if i login to the external webserver via http, suricata detect plain password and block the external host <- i will in future install certificates so the connection uses https, but how could i solve this now?

But at all i thought that my internal clients are on the whitelist and no check will taken?

Edit: same now for Package Update on Debian and also blockes downloads like debian.iso from mirror.

mcentirefj

But i understand the option of supress alerts bei only delete them from the alert list, but the action will further more taken and block this host.

It will suppress the alert as well as any blocking action that would be taken. So if you supress that alert for that particular host as the source or destination, then it won't be alerted or blocked.

whole host to the Pass List is like to use a hammer because pfsense will never check for any kind of attack, right?

Nope, hosts in the pass lists will still show alerts and be monitored, but they will never be blocked.

bmeeks goes over it pretty well here https://forum.pfsense.org/index.php?topic=73863.0

sunghost

Thx for reply,
ok i understand it now. But the Problem is, that the SRC is my dynamic external IP-Adress, which change ever 24h. So if i understand you right and i whould set the SRC for e.g. Downloads on the supress list, it would block after 24h again. Is it possible to show the real ip from internal lan and not only the external of my isp?