[Oisf-users] Suricata - vars and multiple interfaces
jason taylor
jtfas90 at gmail.com
Mon Aug 6 17:19:41 UTC 2018
Response below.
On Mon, 2018-08-06 at 18:02 +0200, Davide Setti wrote:
> Thank you Eric,
>
> but a single-homed proxy may be an issue if the only selector
> available is VLAN tag.
> Cause proxy IP/VLAN will always be the same on both network
> interfaces (unfortunatelly also this kind of configuration may
> exist).
>
> Regards
> 2018-08-06 17:45 GMT+02:00 Eric Urban <eurban at umn.edu>:
> > It is possible to have separate configs by VLAN mappings, but not
> > sure if this helps you.
> >
> >
https://suricata.readthedocs.io/en/suricata-4.0.5/configuration/multi-tenant.html?highlight=tenancy
> >
> > --
> > Eric Urban
> > University Information Security | Office of Information Technology
> > | it.umn.edu
> > University of Minnesota | umn.edu
> > eurban at umn.edu
> >
> > On Mon, Aug 6, 2018 at 10:40 AM, Davide Setti <d.setti at certego.net>
> > wrote:
> > > Hi all,
> > >
> > > At the moment I am using suricata to listen from two different
> > > network interfaces.
> > >
> > > Each interface receives different traffic, in particular:
> > > traffic from clients to proxy
> > > traffic from proxy to internet
> > > For this I need to use different configurations for HOME_NET and
> > > EXTERNAL_NET for each interface.
> > > The first should have:
> > > HOME_NET = <private address space>
> > > EXTERNAL_NET = <proxy-address>
> > > While the second should have:
> > > HOME_NET = <private address space>
> > > EXTERNAL_NET = <public address space>
> > >
> > > However in generated/example suricata.yaml variables are defined
> > > only globally and I would like to have only a single suricata
> > > instance running.
> > >
> > > Looking at comments in suricata.yaml is it should be possible to
> > > define a different BPF filter for each interface.
> > > Is it possible to define variables on interface basis or any
> > > interface specific override?
> > >
> > > Regards
> > > --
> > > Davide SettiR&D and Incident Response Team, Certego
> > > Use of the information within this document constitutes
> > > acceptance for use in an "as is" condition. There are no
> > > warranties with regard to this information; Certego has verified
> > > the data as thoroughly as possible. Any use of this information
> > > lies within the user's responsibility. In no event shall Certego
> > > be liable for any consequences or damages, including direct,
> > > indirect, incidental, consequential, loss of business profits or
> > > special damages, arising out of or in connection with the use or
> > > spread of this information.
The way we landed on getting this done was just to run multiple
separate suricata instances.
For instance eth0 is receiving Internet bound traffic and eth1 is
receiving VPN traffic.
Each of the interfaces have their own suricata.yaml, rule sets, logs,
etc.
We do not run multi-tenant because of similar reasons that you listed
above.
JT
More information about the Oisf-users
mailing list