HOME_NET Regular Expression

craig · February 10, 2026, 9:57pm

Is there a way to define a regular expression within the HOME_NET variable in the config file? For example, I would like to define a HOME_NET where the subnets might change based on the deployment:
172.20.1xx.0/24

Where xx could range anywhere from 00 to 99. Or would you have to list out each subnet 172.20.100.0/24,172.20.101.0/24, etc. ?

Thank you.

Andreas_Herz · February 10, 2026, 10:17pm

That’s not possible but you can define groups in vars and use those vars, see 8.1. Rules Format — Suricata 9.0.0-dev documentation

jonny5 · March 9, 2026, 8:07pm

@craig

Not sure if this is what you were attempting to do, but this is how I do it. Also, for my example I am doing a bit extra for my own reason, it sounds like you will have your own scenario you will want to “filter out”.

In this I have a “HOME_FILTER” that are my IPs that would be in “HOME” that I want represented as External, in my case my Reverse Proxies.

Then my “HOME_SUBNETS” are the IPv4 and IPv6 Addresses and Subnets that are my “HOME”.

Now “HOME_NET” is the HOME_SUBNETS - HOME_FILTER.

Finally, EXTERNAL_NET becomes the opposite of HOME_NET.

In this an attack in plain text on my public IP directly is seen and alerted. If the attack would be seen as happening in the ‘plain-text’ behind the TLS terminated Reverse Proxy, the Reverse Proxy is “EXTERNAL” and everything behind it is “HOME”. Attack still seen and alerted - more.. using “X-Real-Ip”.

With this Reverse Proxy config, the attack is still seen in the EXTERNAL → HOME (or reverse) of many rules, with strong importance to properly configuring use of “X-Real-Ip” for the XFF data and actual attacker, and then good to go! The X-Real-Ip will show up as either the source or the XFF in the alert depending on how you configure Suricata.

(no extreme IPv6 math was used in the example IPv6 Addresses and Subnets, HOME_FILTER intends to include the IPv6 Addresses of the Reverse Proxies, HOME_SUBNETS intends to include the /128 and /64 and/or /56 IPv6 Addresses and Subnets from the ISP)

vars:
  address-groups:
    HOME_FILTER: "[192.168.23.45, 1234:5678:90bc:cdef:12:abcc:cd12:36, 192.168.23.67, 1234:5678:90bc:cdef:12:abcc:cd12:34]"
    HOME_SUBNETS: "[192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 1.2.3.4/32, 1234:5678:90ab:cdef::1/128, 1234:5678:90bc:cdef::/64]"
    HOME_NET: "[$HOME_SUBNETS, !$HOME_FILTER]"
    EXTERNAL_NET: "!$HOME_NET"