[Oisf-users] How to prevent Suricata from inspecting traffic already locally blocked by iptables
Victor Julien
lists at inliniac.net
Wed Apr 25 09:54:18 UTC 2018
On 23-04-18 04:26, Kevin Branch wrote:
> Hi all,
>
> I've used Suricata for years but always on a dedicated NIDS server for
> inspecting traffic behind a network firewall. Now I am trying a local
> install of Suricata on a Linux cloud server whose traffic I want to
> inspect. The server uses iptables to block all incoming connections
> other than http/https. My problem is that Suricata is generating lots
> of alerts about incoming connection attempts (scanning noise) that
> iptables is blocking anyway, which I would rather not hear about.
>
> Is there a way to make Suricata ignore packets that have already been
> dropped by the local iptables? I've toyed with the idea of using the
> iptables tee facility to pump a subset of eth0 traffic to a dummy0
> interface and then having Suricata inspect that instead, but I thought
> I'd check in here to see if anyone has a better approach already working
> for them.
I guess there would be 2 possibilities:
1. use a bpf to have suri only look at those open ports: 'tcp port 80
and tcp port 443'
2. use Suricata in NFLOG mode: like with NFQUEUE this can be used to
steer traffic to Suricata from iptables. Unlike NFQUEUE, NFLOG is passive.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list