<div dir="ltr">As i pointed out in the first link (<a href="http://manual.snort.org/node29.html#SECTION00425000000000000000">http://manual.snort.org/node29.html#SECTION00425000000000000000</a>) you have set your rule to be valid for every direction with the "<>" direction indicator. This means it will triger on "NOT your ip" towards ANY and also ANY ip towards NOT your IP. So that kinda defeats the whole purpose of the negating of the IP. Try f.ex "alert tcp ![..] any <> ![...] any" (just as a quick example, possibly not the best solution).<div><br></div><div>LRO: <a href="http://en.wikipedia.org/wiki/Large_receive_offload">http://en.wikipedia.org/wiki/Large_receive_offload</a></div><div>GRO: <a href="https://lwn.net/Articles/358910/">https://lwn.net/Articles/358910/</a></div><div><br></div><div>And this part of the suricata documentation talks about offloading of these: <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction</a></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-04 23:59 GMT+02:00 James Moe <span dir="ltr"><<a href="mailto:jimoe@sohnen-moe.com" target="_blank">jimoe@sohnen-moe.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 05/04/2015 02:10 PM, Andreas Moe wrote:<br>
> You have set them up to alert in any direction (the '<>') [1]. If you<br>
> had say A -> B it would only alert if this was a packet from host A<br>
> towards host B.<br>
><br>
</span> From the wiki<br>
<<a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules</a>>:<br>
! 1.1.1.1 (Every IP address but 1.1.1.1)<br>
<br>
Why does "alert tcp ![192.168.69.245] any <> any any" not work?<br>
It does not matter which direction of the traffic, I just do not want<br>
the alert.<br>
<span class=""><br>
> Also, might be better to define some netvariables like<br>
> say HOME_NET[2] and so on to better divide where the rules will trigger,<br>
> rather than doing single IP management in the rules.<br>
><br>
</span> Yes, HOME_NET is defined. I was experimenting with tuning the rule to<br>
the specifics of our network.<br>
The other response indicated this may be due to GR0 and LR0. What are<br>
those? Not in the documentation anywhere.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
James Moe<br>
moe dot james at sohnen-moe dot com<br>
<a href="tel:520.743.3936" value="+15207433936">520.743.3936</a><br>
<br>
</div></div><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br></blockquote></div><br></div>