[Oisf-users] question of suricata white list

Christophe Vandeplas christophe at vandeplas.com
Wed Oct 17 07:22:49 UTC 2012 

On Wed, Oct 17, 2012 at 9:12 AM, 郑博文 <anshuitian at gmail.com> wrote:
>
>
>
>>   Sorry for my poor English.
>>
>>   I just want take it for an example.  I know if my HOME_NET is 192.168.0.0/16. I can set it to HOME_NET [192.168.0.0/16,!192.168.0.10]. So, any rule may not be detected for 192.168.0.10. But this is not I am expected. I still want most of rules to protect that server.
>>
>>   I mean, if some rules alert and drop a packet for a mistake, we may disable that rule. But if we do so, all other ip in my home net may not be protected by this rule.
>>
>>   So, my question is , can I just disable some rules for specific ip ?
>>
>>   I know I can change these rules’ Source and destination Address one by one. But it’s too hard if the number of the rules is very large.
>>   I want to known whether I can simply set a configure file like following to do this thing. Or can some external plug-in module do this job?
>>
>> The first is ip. The following is the sid should exclude for the ip.
>> 192.168.0.10    2000001,2000002-2000005,2000006
>> 192.168.0.0/24 2000007,2000008


You're probably looking for a threadhold configuration. In
/etc/suricata/threshold.config set :
suppress gen_id 1, sig_id 2000001, track by_dst, ip 192.168.0.10
suppress gen_id 1, sig_id 2000002, track by_dst, ip 192.168.0.10
...
(and so on)

In the suricata.yaml:
# You can specify a threshold config file by setting "threshold-file"
# to the path of the threshold config file:
threshold-file: /etc/suricata/threshold.config


Documentation about these rules can be found here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds





>> Thanks.
>>
>> 2012/10/17 Peter Manev <petermanev at gmail.com>
>>>
>>> Hi,
>>>
>>> What is your home net variable ?
>>> and could you share the rule?
>>>
>>> thank you
>>>
>>> On Wed, Oct 17, 2012 at 5:09 AM, 郑博文 <anshuitian at gmail.com> wrote:
>>>>
>>>> I'm sorry, the picture is bad.
>>>>
>>>>
>>>>
>>>> 2012/10/17 郑博文 <anshuitian at gmail.com>
>>>>>
>>>>> Hello everybody:
>>>>>     I recently learned suricata. now, I using suricata by IPS mode to protect two servers (192.168.0.10 and 192.168.0.11), but I want to set rule that id is 200,001 doesn't works to 192.168.0.10, but works to 192.168.0.11. What should I do?  If there are many rules like 200,001, What should I do?
>>>>>
>>>>>     There is my topology:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     Thanks very much!
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Peter Manev
>>>
>>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

More information about the Oisf-users mailing list