How to alert on firewall IPs outside HOME_NET + bulk-loading 1000 + custom rules

[Punoo-Khan]

Version

2.4.160

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

24GB

Storage for /

200 gb

Storage for /nsm

200 gb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Setup Summary:
I'm using Security Onion 2.4.160 running on Proxmox with SPAN (mirror) traffic sent from multiple VMs, including 3 different firewalls. The traffic is successfully mirrored and visible in tcpdump and PCAP, but no Suricata alerts are being triggered when scans like nmap are run against those firewalls.

Problem:
The issue is that the firewall IPs are not part of HOME_NET, so the default Suricata rules don't apply to them. I do not want to expand HOME_NET to include them, as they’re technically external monitored assets.

I want to:

• Generate alerts when those firewall IPs are scanned or attacked
• Write custom Suricata rules targeting those IPs
• Load 1000+ rules efficiently

What I’ve Tried:
I can manually add rules via the Web UI > Detection > Rules, but this is limited to one rule at a time

Traffic is confirmed to reach the sensor (via tcpdump)

The IPs are excluded from HOME_NET, so existing rules won’t trigger

I haven’t found a clear path for bulk uploading custom rules in SO 2.4 or for writing rules targeting IPs outside HOME_NET

My Questions:

• How can I trigger Suricata alerts for specific IPs that are outside of HOME_NET without including them in HOME_NET?
• Can I define a custom variable like FIREWALL_NET in a rules file?
• Or is there another Suricata technique for targeting external assets?
• How can I bulk load 1000+ custom rules into Security Onion 2.4?
• Where do I place .rules files in the file system so that they’re picked up properly?
• Will this survive reboots/updates?

Any help or best practices would be greatly appreciated. Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Zer0-cyber-web]

Strange... In my case (SO 2.4.160, HOME_NET is as usual, no additional settings for monitoring external IPs) - I get all Suricata alarms about my external IPs (AS) - scanning and others... I think there is something about SPAN settings.

[Punoo-Khan]

But i am receiving the traffic of my firewall on my sec onion so the span port is correctly mirroring the traffic but i still see no alerts.
But when i added custom rule of firewall ip in detections tab that rule is triggered so it means it is receiving traffic of firewall just not triggering any alerts.
Also one thing i wanted to ask was in elastic search we integrate fortigate firewall do you any idea related to that?

[Zer0-cyber-web]

Also one thing i wanted to ask was in elastic search we integrate fortigate firewall do you any idea related to that?

What do you mean? I have FortiGate logs on my SO in Elastic and in Dashboards.
Integration process is the same as described at this video:
https://www.youtube.com/watch?v=aoH8qZwAxek
except instead of pfSense you use Fortigate integration. In result you will have fortigate dataset with all searchable logs.

[Punoo-Khan]

Thank you so much
I successfully managed to get FortiGate logs through elastic but when i am running nmap on the FortiGate ip, I dont see any logs related to that.
Also related to above how are you getting alerts of external ip lets say if i run nmap on external ip and the traffic is mirrored onto sec onion are you getting that alert that someone ran nmap on that external ip?

[Zer0-cyber-web]

are you getting alerts of external ip lets say if i run nmap on external ip and the traffic is mirrored onto sec onion are you getting that alert that someone ran nmap on that external ip?

No, we didn't do such testings... Our main target was having browsable logs from all devices. By the way - were do you look for those nmap detections? Because Fortigate's logs do not pass through Suricata, it goes directly to Logstash from Elastic sensor. Therefore - there should be different detection scheme for nmap on Fortigate.

PS: Please, do not forget to mark post that seems to be a solution for your question. :)