Thank you very much, I will study right now... <br><br><div class="gmail_quote">2012/10/17 Christophe Vandeplas <span dir="ltr"><<a href="mailto:christophe@vandeplas.com" target="_blank">christophe@vandeplas.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Wed, Oct 17, 2012 at 9:12 AM, Ö£²©ÎÄ <<a href="mailto:anshuitian@gmail.com">anshuitian@gmail.com</a>> wrote:<br>
><br>
><br>
><br>
>> Sorry for my poor English.<br>
>><br>
>> I just want take it for an example. I know if my HOME_NET is <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>. I can set it to HOME_NET [<a href="http://192.168.0.0/16,!192.168.0.10" target="_blank">192.168.0.0/16,!192.168.0.10</a>]. So, any rule may not be detected for 192.168.0.10. But this is not I am expected. I still want most of rules to protect that server.<br>
>><br>
>> I mean, if some rules alert and drop a packet for a mistake, we may disable that rule. But if we do so, all other ip in my home net may not be protected by this rule.<br>
>><br>
>> So, my question is , can I just disable some rules for specific ip ?<br>
>><br>
>> I know I can change these rules’ Source and destination Address one by one. But it’s too hard if the number of the rules is very large.<br>
>> I want to known whether I can simply set a configure file like following to do this thing. Or can some external plug-in module do this job?<br>
>><br>
>> The first is ip. The following is the sid should exclude for the ip.<br>
>> 192.168.0.10 2000001,2000002-2000005,2000006<br>
>> <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> 2000007,2000008<br>
<br>
<br>
</div>You're probably looking for a threadhold configuration. In<br>
/etc/suricata/threshold.config set :<br>
suppress gen_id 1, sig_id 2000001, track by_dst, ip 192.168.0.10<br>
suppress gen_id 1, sig_id 2000002, track by_dst, ip 192.168.0.10<br>
...<br>
(and so on)<br>
<br>
In the suricata.yaml:<br>
# You can specify a threshold config file by setting "threshold-file"<br>
# to the path of the threshold config file:<br>
threshold-file: /etc/suricata/threshold.config<br>
<br>
<br>
Documentation about these rules can be found here:<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds</a><br>
<div class="im HOEnZb"><br>
<br>
<br>
<br>
<br>
>> Thanks.<br>
>><br>
>> 2012/10/17 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>><br>
>>><br>
>>> Hi,<br>
>>><br>
>>> What is your home net variable ?<br>
>>> and could you share the rule?<br>
>>><br>
>>> thank you<br>
>>><br>
>>> On Wed, Oct 17, 2012 at 5:09 AM, Ö£²©ÎÄ <<a href="mailto:anshuitian@gmail.com">anshuitian@gmail.com</a>> wrote:<br>
>>>><br>
>>>> I'm sorry, the picture is bad.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> 2012/10/17 Ö£²©ÎÄ <<a href="mailto:anshuitian@gmail.com">anshuitian@gmail.com</a>><br>
>>>>><br>
>>>>> Hello everybody:<br>
>>>>> I recently learned suricata. now, I using suricata by IPS mode to protect two servers (192.168.0.10 and 192.168.0.11), but I want to set rule that id is 200,001 doesn't works to 192.168.0.10, but works to 192.168.0.11. What should I do? If there are many rules like 200,001, What should I do?<br>
>>>>><br>
>>>>> There is my topology:<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
</div><div class="HOEnZb"><div class="h5">>>>>> Thanks very much!<br>
>>>><br>
>>>><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Oisf-users mailing list<br>
>>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>>>> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>>><br>
>>><br>
>>><br>
>>><br>
>>> --<br>
>>> Regards,<br>
>>> Peter Manev<br>
>>><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
</div></div></blockquote></div><br>