[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables
Kevin Branch
kevin at branchnetconsulting.com
Mon Apr 23 02:26:33 UTC 2018
Hi all,
I've used Suricata for years but always on a dedicated NIDS server for
inspecting traffic behind a network firewall. Now I am trying a local
install of Suricata on a Linux cloud server whose traffic I want to
inspect. The server uses iptables to block all incoming connections other
than http/https. My problem is that Suricata is generating lots of alerts
about incoming connection attempts (scanning noise) that iptables is
blocking anyway, which I would rather not hear about.
Is there a way to make Suricata ignore packets that have already been
dropped by the local iptables? I've toyed with the idea of using the
iptables tee facility to pump a subset of eth0 traffic to a dummy0
interface and then having Suricata inspect that instead, but I thought I'd
check in here to see if anyone has a better approach already working for
them.
Thanks,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180422/529a4fee/attachment.html>
More information about the Oisf-users
mailing list