[Oisf-users] Pass and Drop

Will Metcalf william.metcalf at gmail.com
Tue Jun 15 14:50:35 UTC 2010

>I don't want to split it, as local user will match "HOME_NET"
> parameter. What I want is to allow users to access the webserver, but
> also check if there is a exploitation attempt. For example, I want to
> let the employee to access the site, but not to exploit a possible SQL
> injection on the service. I'm afraid that, if I put a "pass" rule to
> let him use the web site, suricata won't check if he is trying to
> exploit it.

Hmm I think this should work out-of-the-box(tm) without a pass rule.
If you set EXTERNAL_NET to be 'any' you should be able to drop on
badness from HOME_NET -> HOME_NET.  I don't think a pass rule is
necessary if the website is accessible by both internal and external



More information about the Oisf-users mailing list