<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px;">
<div>
<div style="font-family: Calibri, sans-serif;">Additionally, if you are not running it in NFQ mode, you could also leverage the pass feature assuming that you can easily identify traffic that you don’t want to inspect: <a href="http://suricata.readthedocs.io/en/suricata-4.0.4/performance/ignoring-traffic.html?highlight=pass">http://suricata.readthedocs.io/en/suricata-4.0.4/performance/ignoring-traffic.html?highlight=pass</a></div>
<div style="font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-family: Calibri, sans-serif;">Best Regards, </div>
<div>
<div id="">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="font-family: Calibri, sans-serif;"><b><span style="font-family:Arial;color:#1D0E00">Brad Woodberg
</span></b><span style="font-family:Arial;color:#1D0E00">l<b> </b>Group Product Manager, ETPro, Security Tools</span><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="font-family: Calibri, sans-serif;"><span style="font-family:Arial">Proofpoint, Inc.</span><span style="font-family: 'MS 明朝', 'MS Mincho';">
</span><span style="font-family: 'MS 明朝', 'MS Mincho'; font-size: 12pt;">
</span></p>
<p class="MsoNormal" style="font-family: Calibri, sans-serif;"><span style="font-family:Arial">E:
<a href="mailto:bwoodberg@proofpoint.com">bwoodberg@proofpoint.com</a><o:p></o:p></span></p>
<p class="MsoNormal" style="font-family: Calibri, sans-serif;"><a href="http://www.proofpoint.com/"><span style="font-family:Arial;color:blue;text-decoration:none"><img border="0" width="150" height="33" id="Picture_x005f_x005f_x005f_x0020_1" src="cid:E45A572A-E9CC-4DAB-B155-1CBC4FE94236" alt="id:image001.png@01D285E1.0101B2B0"></span></a><span style="font-size:16.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="font-family: Calibri, sans-serif;"><span style="font-family:Arial;color:#0F6B96">threat protection l compliance l archiving & governance l secure communication</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div style="font-family: Calibri, sans-serif;"><br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Oisf-users <<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>> on behalf of Amar Rathore - CounterSnipe Systems <<a href="mailto:amar@countersnipe.com">amar@countersnipe.com</a>><br>
<span style="font-weight:bold">Date: </span>Monday, April 23, 2018 at 6:30 AM<br>
<span style="font-weight:bold">To: </span>Kevin Branch <<a href="mailto:kevin@branchnetconsulting.com">kevin@branchnetconsulting.com</a>>, "<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">
Hello Kevin</p>
<p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">
Assuming you are running Suricata in NFQ mode, you should be able to direct (by iptables rule) just the http/https traffic to Suri. You control this further by destination/port based rule too. In which case you won't be seeing any other alerts! </p>
<p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">
You should also be able to fine tune the IDS rule set to a point that it only monitors the traffic you require.</p>
<p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">
We have a number of in cloud servers running exactly the same way and will be happy to share configs if required.</p>
<p style="font-size: 12pt; font-family: arial, helvetica, sans-serif; color: rgb(0, 0, 128);">
Amar</p>
<blockquote type="cite">On April 22, 2018 at 10:26 PM Kevin Branch <<a href="mailto:kevin@branchnetconsulting.com">kevin@branchnetconsulting.com</a>> wrote:
<br>
<br>
<div dir="ltr">
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
Hi all,</div>
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
<br>
</div>
<span style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff; float: none; display: inline;">I've
used Suricata for years but always on a dedicated NIDS server for inspecting traffic behind a network firewall. Now I am trying a local install of Suricata on a Linux cloud server whose traffic I want to inspect. The server uses iptables to block all incoming
connections other than http/https. My problem is that Suricata is generating lots of alerts about incoming connection attempts (scanning noise) that iptables is blocking anyway, which I would rather not hear about.</span>
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
<br>
</div>
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
Is there a way to make Suricata ignore packets that have already been dropped by the local iptables? I've toyed with the idea of using the iptables tee facility to pump a subset of eth0 traffic to a dummy0 interface and then having Suricata inspect that instead,
but I thought I'd check in here to see if anyone has a better approach already working for them.</div>
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
<br>
</div>
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
Thanks,</div>
<div style="color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-weight: 400; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; background-color: #ffffff;">
Kevin</div>
<br>
</div>
_______________________________________________ <br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">
oisf-users@openinfosecfoundation.org</a> <br>
Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">
http://suricata-ids.org/support/</a> <br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a> <br>
<br>
Conference: <a href="https://suricon.net">https://suricon.net</a> <br>
Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></blockquote>
</div>
</div>
</span></span>
</body>
</html>