[Oisf-users] Encrypted Traffic

Phil Daws uxbod at splatnix.net
Wed Jan 28 11:20:09 UTC 2015


Good day Victor:

Was wondering about iptables as is there not a different way that doing this; which am doing at present:

-A FORWARD -i eth0 -o eth1 -m mark ! --mark 0x1/0x1 -j NFQUEUE
-A FORWARD -i eth1 -o eth0 -m mark ! --mark 0x1/0x1 -j NFQUEUE
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Thanks, Phil


----- Original Message -----
From: "Victor Julien" <lists at inliniac.net>
To: oisf-users at lists.openinfosecfoundation.org
Sent: Wednesday, 28 January, 2015 11:03:30
Subject: Re: [Oisf-users] Encrypted Traffic

On 01/28/2015 11:48 AM, Phil Daws wrote:
> within my lab I have two VMs that are acting as firewalls and connected via an IPSEC tunnel with GRE.  A VM on one end sends traffic over this tunnel to another on the other side.  This traffic should not be subjected to Suricata inspection, as am using inline, so what would be the best way to suppress that ?

In general, check
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
 Note that BPF won't work in inline mode.

I'd imagine a rule like "pass ip any any -> any any (ip_proto:47; ...)

If you run the iptables/nfq based inline method you can also use
iptables to control which part of the traffic is inspected by Suri.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
(null)
(null)



More information about the Oisf-users mailing list