Suricata is making it difficult to access USER mode in Samba. I am adding the IP of the devices. Is it correct to add the IPs or do I need to do something.
Solved. I disabled the sub rules emerging-netbios.rules rule and sub rules ET POLICY SMB. Better than adding the device’s IP to the allowlist.
glad you managed to solve this. Some IDS/IPS rules trigger on certain traffic which may or may not be unusual/unwanted in certain environments, such as RDP or Telnet.
SMB/NetBIOS seems to be among this as well (usually does not appear in *nix-based networks)…
Thanks, and best regards,
I tried not to disable rules, but sub rules, observing the IPS logs. It is a procedure that I do also in OpenBSD.