[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Kevin Branch kevin at branchnetconsulting.com
Mon Apr 23 02:26:33 UTC 2018

 Hi all,

I've used Suricata for years but always on a dedicated NIDS server for
inspecting traffic behind a network firewall.  Now I am trying a local
install of Suricata on a Linux cloud server whose traffic I want to
inspect.  The server uses iptables to block all incoming connections other
than http/https.  My problem is that Suricata is generating lots of alerts
about incoming connection attempts (scanning noise) that iptables is
blocking anyway, which I would rather not hear about.

Is there a way to make Suricata ignore packets that have already been
dropped by the local iptables?  I've toyed with the idea of using the
iptables tee facility to pump a subset of eth0 traffic to a dummy0
interface and then having Suricata inspect that instead, but I thought I'd
check in here to see if anyone has a better approach already working for

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180422/529a4fee/attachment.html>

More information about the Oisf-users mailing list