[Oisf-users] Pass and Drop
william.metcalf at gmail.com
Tue Jun 15 14:50:35 UTC 2010
>I don't want to split it, as local user will match "HOME_NET"
> parameter. What I want is to allow users to access the webserver, but
> also check if there is a exploitation attempt. For example, I want to
> let the employee to access the site, but not to exploit a possible SQL
> injection on the service. I'm afraid that, if I put a "pass" rule to
> let him use the web site, suricata won't check if he is trying to
> exploit it.
Hmm I think this should work out-of-the-box(tm) without a pass rule.
If you set EXTERNAL_NET to be 'any' you should be able to drop on
badness from HOME_NET -> HOME_NET. I don't think a pass rule is
necessary if the website is accessible by both internal and external
More information about the Oisf-users