[Oisf-users] Suricata - vars and multiple interfaces

Eric Urban eurban at umn.edu
Mon Aug 6 15:45:38 UTC 2018


It is possible to have separate configs by VLAN mappings, but not sure if
this helps you.

https://suricata.readthedocs.io/en/suricata-4.0.5/configuration/multi-tenant.html?highlight=tenancy

-- 
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu

On Mon, Aug 6, 2018 at 10:40 AM, Davide Setti <d.setti at certego.net> wrote:

> Hi all,
>
> At the moment I am using suricata to listen from two different network
> interfaces.
>
> Each interface receives different traffic, in particular:
>
>    - traffic from clients to proxy
>    - traffic from proxy to internet
>
> For this I need to use different configurations for HOME_NET and
> EXTERNAL_NET for each interface.
> The first should have:
>
>    - HOME_NET = <private address space>
>    - EXTERNAL_NET = <proxy-address>
>
> While the second should have:
>
>    - HOME_NET = <private address space>
>    - EXTERNAL_NET = <public address space>
>
>
> However in generated/example suricata.yaml variables are defined only
> globally and I would like to have only a single suricata instance running.
>
> Looking at comments in suricata.yaml is it should be possible to define a
> different BPF filter for each interface.
> Is it possible to define variables on interface basis or any interface
> specific override?
>
> Regards
> --
> <http://www.certego.net/>
> Davide Setti
> R&D and Incident Response Team, Certego
> <http://www.linkedin.com/company/certego>
> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
> <http://www.youtube.com/CERTEGOsrl>
> <http://plus.google.com/117641917176532015312>
> Use of the information within this document constitutes acceptance for use
> in an "as is" condition. There are no warranties with regard to this
> information; Certego has verified the data as thoroughly as possible. Any
> use of this information lies within the user's responsibility. In no event
> shall Certego be liable for any consequences or damages, including direct,
> indirect, incidental, consequential, loss of business profits or special
> damages, arising out of or in connection with the use or spread of this
> information.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180806/f04efafa/attachment.html>


More information about the Oisf-users mailing list