[Oisf-users] Suricata - vars and multiple interfaces

Mon Aug 6 16:02:02 UTC 2018

Thank you Eric,

but a single-homed proxy may be an issue if the only selector available is
VLAN tag.
Cause proxy IP/VLAN will always be the same on both network interfaces
(unfortunatelly also this kind of configuration may exist).

Regards
2018-08-06 17:45 GMT+02:00 Eric Urban <eurban at umn.edu>:

> It is possible to have separate configs by VLAN mappings, but not sure if
> this helps you.
>
> https://suricata.readthedocs.io/en/suricata-4.0.5/
> configuration/multi-tenant.html?highlight=tenancy
>
> --
> Eric Urban
> University Information Security | Office of Information Technology |
> it.umn.edu
> University of Minnesota | umn.edu
> eurban at umn.edu
>
> On Mon, Aug 6, 2018 at 10:40 AM, Davide Setti <d.setti at certego.net> wrote:
>
>> Hi all,
>>
>> At the moment I am using suricata to listen from two different network
>> interfaces.
>>
>> Each interface receives different traffic, in particular:
>>
>>    - traffic from clients to proxy
>>    - traffic from proxy to internet
>>
>> For this I need to use different configurations for HOME_NET and
>> EXTERNAL_NET for each interface.
>> The first should have:
>>
>>    - HOME_NET = <private address space>
>>    - EXTERNAL_NET = <proxy-address>
>>
>> While the second should have:
>>
>>    - HOME_NET = <private address space>
>>    - EXTERNAL_NET = <public address space>
>>
>>
>> However in generated/example suricata.yaml variables are defined only
>> globally and I would like to have only a single suricata instance running.
>>
>> Looking at comments in suricata.yaml is it should be possible to define a
>> different BPF filter for each interface.
>> Is it possible to define variables on interface basis or any interface
>> specific override?
>>
>> Regards
>> --
>> <http://www.certego.net/>
>> Davide Setti
>> R&D and Incident Response Team, Certego
>> <http://www.linkedin.com/company/certego>
>> <http://twitter.com/Certego_IRT>  <http://github.com/certego>
>> <http://www.youtube.com/CERTEGOsrl>
>> <http://plus.google.com/117641917176532015312>
>> Use of the information within this document constitutes acceptance for
>> use in an "as is" condition. There are no warranties with regard to this
>> information; Certego has verified the data as thoroughly as possible. Any
>> use of this information lies within the user's responsibility. In no event
>> shall Certego be liable for any consequences or damages, including direct,
>> indirect, incidental, consequential, loss of business profits or special
>> damages, arising out of or in connection with the use or spread of this
>> information.
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>

-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180806/bb0392ea/attachment-0001.html>