<div dir="ltr"><p dir="ltr">Without seeing the traffic I'm not sure if this would be
reliable, but you could possibly add something like this to that rule if
the test webpage occurs on the same domain every time:</p>
<p dir="ltr">content:!"<a href="http://trustedvendor.com" target="_blank">trustedvendor.com</a>"; http_header;</p><p>If their IP address were to change but the domain stays the same the above would still work.<br>
</p>
<p dir="ltr">Regards,</p>
<p dir="ltr">Darien</p></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <span dir="ltr"><<a href="mailto:ljacobs@netsecuris.com" target="_blank">ljacobs@netsecuris.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal">I want to be able to ignore some External source IP addresses in signatures. Can I list them in suricata.yaml with a ! in front of them. Like:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]" for example.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I have a trusted vendor that is causing false positives because they refuse to change a numeric string in what they are sending in a test web page so it is triggering a Trojan signature. I want to ignore their traffic. I know that is dangerous if they were really used as an attack vector into my network.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Any suggestions?<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></p><span class="HOEnZb"><font color="#888888"><p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">Leonard <u></u><u></u></span></p><p class="MsoNormal"><span style="font-family:"Arial","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></font></span></div></div><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br></div>