Suricata Rule per network?

Hi,

since Suricata came into IFFire we use it on the red interface and it works perfect.
Now we have to connect a lot of users over VPN to the network (guess why) and we have a little “problem”.
The users in the homeoffice should have other IDS rules then the red interface but i need rules because.

At the moment it is “only” possible to activate Suricata on the interface without the possibility to select rules for an specific network. So i can only allow or deny for all.
If i for example want to allow smb/nfs and other file share protocols to the VPN users, i have to allow it also on the red network …

Is it possible to change this or can i create some kind of rule?

Best regards

Silvio

Hello Silvio,

I’m sorry there is no easy way to solve your “little” problem.

The only way to process different rules to any other network zone or OpenVPN would be to setup a second instance of suricata by hand (including the required firewall rules), adjust and manage the ruleset by hand and keep it up to date also by hand.

On top of this hard work, you also have to keep in mind that two instances of suricata requires the double amount of system ressouces.

Best regards,

-Stefan

Hi Stefan,

thanks for the answer.
The system ressource should not be a problem, the system has more then enough.
The idea with the second instance sounds interesting but i am aware that this will and should not be a productive solution.
So i will live the restrictions at this point. I prefer a stable and secure system without ‘special handmade’ and possible insecure configured rules.

Thanks

Silvio