Why i cant block only one direction conexion?

Mestre · March 30, 2022, 10:01am

I have these rules:

drop ICMP $HOME_NET any -> $TREX_NET any (msg:"ping dropeado ";sid: 200002;rev:1;)
pass ICMP $TREX_NET any -> $HOME_NET any (msg:"ping trex a home net";sid:200008;)

so I want to block home net to Trex net but I want to receive pings from Trex net to Home net

but with this config, the two ways are allowed

suricatalfon · March 30, 2022, 10:31am

Hola, Nacho.

Es posible que ICMP lo tengas que poner en minúscula en la regla?
Revisaría también, en el .yaml, el action-order.
Para dropear no debe estar en modo IPS ?

Saludos,

Mestre · March 30, 2022, 10:38am

Vale mi problema ha sido la definicion de la red TREX_NET, gracias por tu respuesta igualmente

Topic		Replies	Views
ICMP issue with non-default action order Help rules	4	1399	September 10, 2021
Ping rule to detect Help rules	7	846	October 25, 2023
ICMP Drop threshold for Suricata IPS Rules ips , rules , suricata	3	446	June 15, 2023
Help with custom rule Rules suricata	1	303	March 29, 2024
Except trusted IP Help	10	700	February 25, 2021

Why i cant block only one direction conexion?

Related Topics