[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Brad Woodberg bwoodberg at proofpoint.com
Mon Apr 23 13:47:13 UTC 2018

Additionally, if you are not running it in NFQ mode, you could also leverage the pass feature assuming that you can easily identify traffic that you don’t want to inspect:  http://suricata.readthedocs.io/en/suricata-4.0.4/performance/ignoring-traffic.html?highlight=pass

Best Regards,
Brad Woodberg l Group Product Manager, ETPro, Security Tools
Proofpoint, Inc.

E: bwoodberg at proofpoint.com<mailto:bwoodberg at proofpoint.com>
[id:image001.png at 01D285E1.0101B2B0]<http://www.proofpoint.com/>
threat protection l compliance l archiving & governance l secure communication

From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org>> on behalf of Amar Rathore - CounterSnipe Systems <amar at countersnipe.com<mailto:amar at countersnipe.com>>
Date: Monday, April 23, 2018 at 6:30 AM
To: Kevin Branch <kevin at branchnetconsulting.com<mailto:kevin at branchnetconsulting.com>>, "oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>" <oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>>
Subject: Re: [Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables

Hello Kevin

Assuming you are running Suricata in NFQ mode, you should be able to direct (by iptables rule) just the http/https traffic to Suri. You control this further by destination/port based rule too. In which case you won't be seeing any other alerts!

You should also be able to fine tune the IDS rule set to a point that it only monitors the traffic you require.

We have a number of in cloud servers running exactly the same way and will be happy to share configs if required.


On April 22, 2018 at 10:26 PM Kevin Branch <kevin at branchnetconsulting.com<mailto:kevin at branchnetconsulting.com>> wrote:

Hi all,

I've used Suricata for years but always on a dedicated NIDS server for inspecting traffic behind a network firewall.  Now I am trying a local install of Suricata on a Linux cloud server whose traffic I want to inspect.  The server uses iptables to block all incoming connections other than http/https.  My problem is that Suricata is generating lots of alerts about incoming connection attempts (scanning noise) that iptables is blocking anyway, which I would rather not hear about.

Is there a way to make Suricata ignore packets that have already been dropped by the local iptables?  I've toyed with the idea of using the iptables tee facility to pump a subset of eth0 traffic to a dummy0 interface and then having Suricata inspect that instead, but I thought I'd check in here to see if anyone has a better approach already working for them.


Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180423/58a27458/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001[21].png
Type: image/png
Size: 10805 bytes
Desc: image001[21].png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180423/58a27458/attachment-0001.png>

More information about the Oisf-users mailing list