I am trying to configure suricata in my network. When I set one HOME_NET in /etc/suricata/suricata.yml as :
HOME_NET: "[172.20.5.0/24]"
everything works fine. But when I try to define more than one pool of addresses as:
HOME_NET: "[172.20.5.0/24,172.16.0.0/16,172.20.1.0/24]"
I cannot observe any events in /var/log/suricata/log.fast.
How to properly define a few networks in HOME_NET variable?
The problem was that I was trying to ping and Home_Net(172.20.5.12) from a Home_Net(172.20.5.18). And the property External_Net was set as !$Home_Net. The rule triggering ping alert:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Alerts only from EXTERNAL_NET to HOME_NET and I was pinging from HOME_NET to HOME_NET.
To see this "internal" ping alerts you need to define EXTERNAL_NET as any.