Hi guys. I need help, I have a meerkat here where I made an integration with my router, when any alert happens automatically rules are created on my router’s firewall. The problem is that sometimes I create rules with my own public ip, it is fixed. And it also creates rules with external ips from some of my clients. So I would like to see if there is a possibility of making a rule or something in which the meerkat let it go and does not create alerts related to my ip or an ip range that would be of my clients.
There are multiple ways to handle this.
The easiest is to make sure the Suricata detection logic never sees traffic to or from those IPs.
Have a look at 9.7. Ignoring Traffic — Suricata 7.0.0-dev documentation
I would recommend BPF filter or pass rules. The BPF filter can also be defined in the suricata.yaml file
I tried to create a rule called bypass.rules in /etc/suricata/rules
Within this rule I put this
pass ip 1.2.3.4 any <> any any (msg: “pass all traffic from / to 1.2.3.4”; sid: 1;)
Being 1.2.3.4 my external IP.
But it didn’t work, the problem is that it is capturing traffic from both sides and I want alerts only from what comes from the internet to my IP, not from my IP to the Internet, as it is creating several Stream of alerts with my IP.
In the suricata yaml file, in af-package to ignore just put
bpf filter: not host 1.2.3.4
THAT?
That BPF Filter would also exclude traffic towards your IP.
Did you ensure the pass rule was loaded?
Do you still, with this pass rule enabled, alerts with your IP as Source?
You just copy pasted your last reply I was refering to?!
Sorry, the answer was saved in my ctrl + c.
So I tried it in two ways, I tried to create a new folder, I gave suricata permission, I put the bypass rule for my ip there, I added the path to yaml, I also put this same rule in /etc/suricata/rule, I rebounded server, I used the command suricata-update and suritaca -T, apparently not an error, but then start capturing and look at the fast.log file, there are only alerts from my ip > to ip destination, I need it to be the other way around because I have one application that automatically creates the firewall rules on my router, but the way it is now it is creating rules only with my ip. I don’t want to capture anything that comes out of my ip, but just whoever comes to it.
So there are two things:
-
Try to restart Suricata and check if the pass rule was actually loaded, look at the suricata.log (depending on the verbosity set). It would be worth to debug why the pass rule doesn’t work.
-
You can define the bpf filter like that: bpf-filter: “not src host 1.2.3.4”
1 Like