[Oisf-users] Pass and Drop

Martin Spinassi martins.listz at gmail.com
Tue Jun 15 14:34:12 UTC 2010


Thanks for your help.

The scenario is what you described. A DMZ with suricata in the middle.
A web server acceded from the internet and from local users.

I don't want to split it, as local user will match "HOME_NET"
parameter. What I want is to allow users to access the webserver, but
also check if there is a exploitation attempt. For example, I want to
let the employee to access the site, but not to exploit a possible SQL
injection on the service. I'm afraid that, if I put a "pass" rule to
let him use the web site, suricata won't check if he is trying to
exploit it.

Hope to be clearer now.

Thanks for your help!



On Tue, Jun 15, 2010 at 10:59 AM, Will Metcalf
<william.metcalf at gmail.com> wrote:
>> How does it work in that case? Will suricata let HOME_NET users access
>> the server, and also check that no one tries nasty things to it (like
>> sql injection for example)?
> Pass rules are processed before other rules so if a pass rule is
> matched then that packet will be allowed.  I'm not sure if I
> understand you correctly but if you have a scenario where you have a
> DMZ and internal/external users connected to the same fw, it may be
> easier to split the traffic out to different NFQUEUE targets and fire
> up multiple suricata processes one bound to each NFQUEUE target with
> different rule sets.  Does this help?
> Regards,
> Will

More information about the Oisf-users mailing list