Closed tunip closed 5 years ago
AdSchellevis
commented
5 years ago The problem with this is that it introduces hard dependencies between services (dhcp client / suricata), you might consider adding the subnet your provider uses as home_net.
I would like to avoid all kinds of service restarts on new dhcp leases, often this turns into bumpy and unexpected behaviour further down the road.
tunip
commented
5 years ago Is a reload (not restart) not enough for suricata if home_net changes? If not, then you are right, such hard dependencies are a bad idea.
Can't add all the DSL-subnets of my provider. They are to much for Telekom Germany.
I found something similar for pfSense/Snort. Thats why I am thought it would be maybe possible for OPNsense/Suricata too.
https://docs.netgate.com/pfsense/en/latest/ids-ips/snort-interface-settings.html
Home Net: selects the network Snort will use as the HOME_NET variable. Default is the recommended choice and contains the firewall WAN IP address and WAN gateway, all networks locally-attached to a firewall interface, the configured DNS servers, VPN addresses and Virtual IP addresses.
[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[x] I have searched the existing issues and I'm convinced that mine is new.
Is your feature request related to a problem? no
Describe the solution you'd like When you use IPS & Sensei together, you can only use the WAN interface for Suricata. In this setup we miss a lot of the IDS/IPS rules. But if you add the WAN IP to "Home networks" manullay, it would be handled as internal and we have a lot more hits from the rules. But if the WAN IP changes, you need to manually adjust it again.
It would be great to have a checkbox on the IDS/IPS Administration page to include the WAN IP in "Home networks". And if the WAN IP changes, IDS rules would be reloaded with the new one.