Documentation Center
AlienVault® USM Appliance™

Configuring Network IDS to Detect Internal Network Attacks

Version: 5.x
Deployment: All deployments

By default, AlienVault USM Appliance Network IDS is configured only to detect and report attacks initiated by external network devices, not those residing within an organization's own internal network. USM Appliance does not currently provide a web UI option to change this behavior, however, you can modify the EXTERNAL_NET setting in the Network IDS suricata.yaml configuration file to detect network attacks from devices residing within an organization's internal network, as well as attacks from devices from external networks.

The default setting for the EXTERNAL_NET rule in the /etc/suricata/suricata.yaml file is the following:

var EXTERNAL_NET !$HOME_NET

This setting directs Suricata to ignore attacks from devices in an organization's home network.

To detect attacks from both inside and outside an organization's internal network, replace !HOME_NET with "any", like this:

var EXTERNAL_NET any

Save the file and restart the service:

service suricata restart

To define your own custom rules concerning network IDS operations, you need to enter the new rules in the etc/suricata/rules/local.rules file.

To direct Suricata to load your local rules, you also need to add the following line at the end of the /etc/suricata/rule-files.yaml file:

- local.rules

For more information on configuring custom rules for Network IDS, see Customize AlienVault NIDS Rules.