[Oisf-users] Pass and Drop

Martin Spinassi martins.listz at gmail.com
Tue Jun 15 17:10:19 UTC 2010

On Tue, 2010-06-15 at 09:50 -0500, Will Metcalf wrote:
> >I don't want to split it, as local user will match "HOME_NET"
> > parameter. What I want is to allow users to access the webserver, but
> > also check if there is a exploitation attempt. For example, I want to
> > let the employee to access the site, but not to exploit a possible SQL
> > injection on the service. I'm afraid that, if I put a "pass" rule to
> > let him use the web site, suricata won't check if he is trying to
> > exploit it.
> Hmm I think this should work out-of-the-box(tm) without a pass rule.
> If you set EXTERNAL_NET to be 'any' you should be able to drop on
> badness from HOME_NET -> HOME_NET.  I don't think a pass rule is
> necessary if the website is accessible by both internal and external
> users.
> Regards,
> Will


Thanks for your reply.

Anyway, the scenario is mostly as described, I used the web server as
example. My doubt in fact is, if there is a way to make a pass rule, and
still check that the service don't get abused. Another example could be
ftp, if I want to let some net to access it, but if a DoS is tried
against it, let suricata scan it and block it if necessary.

Again, thanks for you help Will.



More information about the Oisf-users mailing list