By default, AlienVault USM Appliance Network IDS is configured only to detect and report attacks initiated by external network devices, not those residing within an organization's own internal network. USM Appliance does not currently provide a web UI option to change this behavior, however, you can modify the EXTERNAL_NET setting in the Network IDS suricata.yaml configuration file to detect network attacks from devices residing within an organization's internal network, as well as attacks from devices from external networks.
The default setting for the EXTERNAL_NET rule in the /etc/suricata/suricata.yaml file is the following:
var EXTERNAL_NET !$HOME_NET
This setting directs Suricata to ignore attacks from devices in an organization's home network.
To detect attacks from both inside and outside an organization's internal network, replace !HOME_NET with "any", like this:
var EXTERNAL_NET any
Save the file and restart the service:
service suricata restart
To define your own custom rules concerning network IDS operations, you need to enter the new rules in the etc/suricata/rules/local.rules file.
To direct Suricata to load your local rules, you also need to add the following line at the end of the /etc/suricata/rule-files.yaml file:
For more information on configuring custom rules for Network IDS, see Customize AlienVault NIDS Rules.