[Oisf-users] question of suricata white list

郑博文 anshuitian at gmail.com
Wed Oct 17 07:45:36 UTC 2012


Thank you very much, I will study right now...

2012/10/17 Christophe Vandeplas <christophe at vandeplas.com>

> On Wed, Oct 17, 2012 at 9:12 AM, 郑博文 <anshuitian at gmail.com> wrote:
> >
> >
> >
> >>   Sorry for my poor English.
> >>
> >>   I just want take it for an example.  I know if my HOME_NET is
> 192.168.0.0/16. I can set it to HOME_NET [192.168.0.0/16,!192.168.0.10].
> So, any rule may not be detected for 192.168.0.10. But this is not I am
> expected. I still want most of rules to protect that server.
> >>
> >>   I mean, if some rules alert and drop a packet for a mistake, we may
> disable that rule. But if we do so, all other ip in my home net may not be
> protected by this rule.
> >>
> >>   So, my question is , can I just disable some rules for specific ip ?
> >>
> >>   I know I can change these rules’ Source and destination Address one
> by one. But it’s too hard if the number of the rules is very large.
> >>   I want to known whether I can simply set a configure file like
> following to do this thing. Or can some external plug-in module do this job?
> >>
> >> The first is ip. The following is the sid should exclude for the ip.
> >> 192.168.0.10    2000001,2000002-2000005,2000006
> >> 192.168.0.0/24 2000007,2000008
>
>
> You're probably looking for a threadhold configuration. In
> /etc/suricata/threshold.config set :
> suppress gen_id 1, sig_id 2000001, track by_dst, ip 192.168.0.10
> suppress gen_id 1, sig_id 2000002, track by_dst, ip 192.168.0.10
> ...
> (and so on)
>
> In the suricata.yaml:
> # You can specify a threshold config file by setting "threshold-file"
> # to the path of the threshold config file:
> threshold-file: /etc/suricata/threshold.config
>
>
> Documentation about these rules can be found here:
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
>
>
>
>
>
> >> Thanks.
> >>
> >> 2012/10/17 Peter Manev <petermanev at gmail.com>
> >>>
> >>> Hi,
> >>>
> >>> What is your home net variable ?
> >>> and could you share the rule?
> >>>
> >>> thank you
> >>>
> >>> On Wed, Oct 17, 2012 at 5:09 AM, 郑博文 <anshuitian at gmail.com> wrote:
> >>>>
> >>>> I'm sorry, the picture is bad.
> >>>>
> >>>>
> >>>>
> >>>> 2012/10/17 郑博文 <anshuitian at gmail.com>
> >>>>>
> >>>>> Hello everybody:
> >>>>>     I recently learned suricata. now, I using suricata by IPS mode
> to protect two servers (192.168.0.10 and 192.168.0.11), but I want to set
> rule that id is 200,001 doesn't works to 192.168.0.10, but works to
> 192.168.0.11. What should I do?  If there are many rules like 200,001, What
> should I do?
> >>>>>
> >>>>>     There is my topology:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>     Thanks very much!
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Oisf-users mailing list
> >>>> Oisf-users at openinfosecfoundation.org
> >>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Regards,
> >>> Peter Manev
> >>>
> >>
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121017/a8ee2fd3/attachment-0002.html>


More information about the Oisf-users mailing list