<div class="gmail_quote">On Tue, Jun 15, 2010 at 1:10 PM, Martin Spinassi <span dir="ltr"><<a href="mailto:martins.listz@gmail.com">martins.listz@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Tue, 2010-06-15 at 09:50 -0500, Will Metcalf wrote:<br>
> >I don't want to split it, as local user will match "HOME_NET"<br>
> > parameter. What I want is to allow users to access the webserver, but<br>
> > also check if there is a exploitation attempt. For example, I want to<br>
> > let the employee to access the site, but not to exploit a possible SQL<br>
> > injection on the service. I'm afraid that, if I put a "pass" rule to<br>
> > let him use the web site, suricata won't check if he is trying to<br>
> > exploit it.<br>
><br>
> Hmm I think this should work out-of-the-box(tm) without a pass rule.<br>
> If you set EXTERNAL_NET to be 'any' you should be able to drop on<br>
> badness from HOME_NET -> HOME_NET. I don't think a pass rule is<br>
> necessary if the website is accessible by both internal and external<br>
> users.<br>
><br>
> Regards,<br>
><br>
> Will<br>
<br>
<br>
</div>Will,<br>
<br>
Thanks for your reply.<br>
<br>
Anyway, the scenario is mostly as described, I used the web server as<br>
example. My doubt in fact is, if there is a way to make a pass rule, and<br>
still check that the service don't get abused. Another example could be<br>
ftp, if I want to let some net to access it, but if a DoS is tried<br>
against it, let suricata scan it and block it if necessary.<br>
<br>
<br>
Again, thanks for you help Will.<br>
<br>
Regards,<br>
<font color="#888888"><br>
Martin<br>
</font><div><div></div><div class="h5"><br>
<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><div><br></div><div>Hey Guys.,</div><div><br></div><div>I've been following this discussion this morning but haven't had a chance to reply... </div><br><div>If you want to let Suricata pass traffic from your HOME_NET, then why add any rules at all? You can still what is being done to that host via the HTTP logs (both from Suricata and on that host itself). Then, you are free to add any rules that you need in order to detect actual attacks... Or am I misinterpreting what you are trying to accomplish?</div>
<div><br></div><div>See Yas!<br>~Brant</div><div><br></div>