<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Nevermind this question. I found a better way to deal with this that works for me.<br><br>I will be suppressing alerts in threshold file:<br>suppress gen_id 0, sig_id, track by_src, ip 1.1.1.1<br><br><br><br><div><hr id="stopSpelling">From: coolyasha@hotmail.com<br>To: cnelson@ucsd.edu; oisf-users@lists.openinfosecfoundation.org<br>Date: Mon, 30 Jun 2014 14:51:29 +0000<br>Subject: Re: [Oisf-users] Suppress all signatures per source IP<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">It looks like BPF filter will not work for me since I cannot afford inspection loss during service restart.<br><br>Is my specification of EXTERNAL_NET variable correct? It doesnt seem to work correctly.<br>I have an IP 1.1.1.1 which is part of MYVAR whish should not be part of External net.<br>A rule triggers:<br><pre>alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"")</pre>Judging from the variables config, it should not have triggered.<br><br>Any idea?<br><br>Thanks.<br><br><div>> Date: Thu, 26 Jun 2014 14:18:14 -0700<br>> From: cnelson@ucsd.edu<br>> To: coolyasha@hotmail.com; oisf-users@lists.openinfosecfoundation.org<br>> Subject: Re: [Oisf-users] Suppress all signatures per source IP<br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1<br>> <br>> As mentioned, I really think bpf filters are the way to go here.<br>> <br>> For example, we filter our IP traffic from the Qualys SOC vulnerability<br>> scanners with this expression:<br>> <br>> not (net 64.39.96.0/20)<br>> <br>> Note that bpf filters are preferable as they are extremely high performance.<br>> <br>> - -Coop<br>> <br>> On 6/26/2014 12:48 PM, Yasha Zislin wrote:<br>> > Hmm. Sounds like a pain to do this with pass rules.<br>> > <br>> > So the way I've done this in the past (with Snort) was that I've created<br>> > a custom variable with a list of IPs.<br>> > Then I would set my external net as follows.<br>> > <br>> > MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"<br>> > <br>> > EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"<br>> > <br>> > Most of the rules are configured to check from external to home. So if<br>> > my IPs are not part of External, then this suppression occurs.<br>> > For some reason this does not work in Suricata.<br>> > <br>> <br>> <br>> - -- <br>> Cooper Nelson<br>> Network Security Analyst<br>> UCSD ACT Security Team<br>> cnelson@ucsd.edu x41042<br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v2.0.17 (MingW32)<br>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/<br>> <br>> iQEcBAEBAgAGBQJTrI4WAAoJEKIFRYQsa8FWhIgH/Racilav8dBC9m8dsxTIxXLf<br>> Rn5zxy/S/zLYdo7ItB2AadOuB2HJcK4mttM+BOo503cYL/ndHnNvtRgc6rW+wiek<br>> t/yeMBqA2ii0OTLZPMr4Q2XpnRYC66rFP2h03lAm24fqWtGL8CRcGwNYYVopwnUf<br>> FKfx0SyOk6lwRoAEDqc02gVccKcpwbkrHsJRqNNva7coZSsQXq2iAfd4ZFnT59Bw<br>> TlUkEQGFx6QYL4TU6uR9qmDygOzlq9eMdQe0g1GpUt4iDwU1cybD06JpOO9sKToF<br>> EUsUm7VKBed0oxRSit0KA4FN22L0EcVBvbQbc/T3SBPsOF4O1mKZAnbiMVouVzA=<br>> =FaeI<br>> -----END PGP SIGNATURE-----<br></div> </div>
<br>_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/</div> </div></body>
</html>