# tunnel ip talking to internal network is fine - this rule to spot when it is NOT the case
# netbird nat carrier network 100.64.0.0/10 does not belong to 10/8 hence specific rule here
# (as a side effect, we will also spot when internal network traffic goes through here, which it should not)

# check specific CIDR on netbird gateways with ifconfig wt0

# inbound
alert ip !100.64.0.0/10 any -> 10.0.0.0/8 any (msg:"TRANSIT non-netbird-tunnel traffic towards internal network"; classtype:policy-violation; sid:2;)

# outbound
alert ip 10.0.0.0/8 any -> !100.64.0.0/10 any (msg:"TRANSIT internal traffic towards non-netbird-tunnel network"; classtype:policy-violation; sid:1;)