I want to setup Suricata as a passive IDS along a network segment that is neither HOME_NET or EXTERNAL_NET. Depending on how the traffic flow is being analyzed, both sides of the network can be internal and external. In other words, I desire alerting for both directions of the network traffic flow.
What is the best way to define HOME and EXTERNAL in this situation?
If you can’t really differentiate between those, you could set them to any but this could become noisy.
Thank you. I’ll add that configuration and monitor for flooding.
When rule writing, we generally consider “HOME_NET” to be the network being defended. This is commonly interpreted as the RFC1918 space being used or the publicly routable IPs owned/leased.
You will likely run into problems in defining both HOME_NET and EXTERNAL_NET as “any”, in particular when rules use a negated variable such as HOME_NET → !$EXTERNAL_NET. When both of those values are “any” an error will be expected as you can’t negate “any”.
Without more details of the traffic flow being monitored (though I suspect NAT playing a part in it), I always suggest splitting logical “flows” of network traffic into specific rulesets designed to inspect the traffic.
For instance, users/servers accessing the internet for general surfing, pulling updates, dns queries, etc is a very different type of network traffic than say the general internet accessing a publicly available resource. I find that the most mature monitored environments split these flows and inspect them with different HOME_NET variables and different collections of enabled rules.
I’m not sure if this “splitting” of network traffic would be of assistance in your use case, but it’s something we see mature/advanced orgs doing. HOME_NET being properly defined is a foundational level configuration item. Ensuring it’s tuned not only helps performance but also reduces FP/FN issues.
If you could provide more details of the specific design (tapping locations, obfuscated network ranges, network layout, etc) I might be able to provide more specific strategies to best optimize the monitoring deployment.
Thank you for the additional information. The network is such that the network link is what needs to be monitored deep within an organization. Since both sides of the link can be considered trusted (internal) and un-trusted (external) at the same time, the traditional definition of HOME and EXTERNAL simply do not apply. NAT is not involved in any way. It has more to do with philosophy than technology when defining the zones of trust.
any any works fine, but when I do a rules update, I have to use the --no-test flag.