[Oisf-users] Pass and Drop

Brant Wells bwells at tfc.edu
Tue Jun 15 17:19:35 UTC 2010


On Tue, Jun 15, 2010 at 1:10 PM, Martin Spinassi <martins.listz at gmail.com>wrote:

> On Tue, 2010-06-15 at 09:50 -0500, Will Metcalf wrote:
> > >I don't want to split it, as local user will match "HOME_NET"
> > > parameter. What I want is to allow users to access the webserver, but
> > > also check if there is a exploitation attempt. For example, I want to
> > > let the employee to access the site, but not to exploit a possible SQL
> > > injection on the service. I'm afraid that, if I put a "pass" rule to
> > > let him use the web site, suricata won't check if he is trying to
> > > exploit it.
> >
> > Hmm I think this should work out-of-the-box(tm) without a pass rule.
> > If you set EXTERNAL_NET to be 'any' you should be able to drop on
> > badness from HOME_NET -> HOME_NET.  I don't think a pass rule is
> > necessary if the website is accessible by both internal and external
> > users.
> >
> > Regards,
> >
> > Will
>
>
> Will,
>
> Thanks for your reply.
>
> Anyway, the scenario is mostly as described, I used the web server as
> example. My doubt in fact is, if there is a way to make a pass rule, and
> still check that the service don't get abused. Another example could be
> ftp, if I want to let some net to access it, but if a DoS is tried
> against it, let suricata scan it and block it if necessary.
>
>
> Again, thanks for you help Will.
>
> Regards,
>
> Martin
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

Hey Guys.,

I've been following this discussion this morning but haven't had a chance to
reply...

If you want to let Suricata pass traffic from your HOME_NET, then why add
any rules at all?  You can still what is being done to that host via the
HTTP logs (both from Suricata and on that host itself).  Then, you are free
to add any rules that you need in order to detect actual attacks...  Or am I
misinterpreting what you are trying to accomplish?

See Yas!
~Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100615/8d8075b1/attachment-0002.html>


More information about the Oisf-users mailing list