[Oisf-users] question of suricata white list

corenor corenor at gmail.com
Wed Oct 17 12:37:54 UTC 2012


What are the limitations of the threshold.conf with suricata?  I've
had mixed results trying to implement exceptions.


On Wed, Oct 17, 2012 at 3:45 AM, 郑博文 <anshuitian at gmail.com> wrote:
> Thank you very much, I will study right now...
>
> 2012/10/17 Christophe Vandeplas <christophe at vandeplas.com>
>>
>> On Wed, Oct 17, 2012 at 9:12 AM, 郑博文 <anshuitian at gmail.com> wrote:
>> >
>> >
>> >
>> >>   Sorry for my poor English.
>> >>
>> >>   I just want take it for an example.  I know if my HOME_NET is
>> >> 192.168.0.0/16. I can set it to HOME_NET [192.168.0.0/16,!192.168.0.10]. So,
>> >> any rule may not be detected for 192.168.0.10. But this is not I am
>> >> expected. I still want most of rules to protect that server.
>> >>
>> >>   I mean, if some rules alert and drop a packet for a mistake, we may
>> >> disable that rule. But if we do so, all other ip in my home net may not be
>> >> protected by this rule.
>> >>
>> >>   So, my question is , can I just disable some rules for specific ip ?
>> >>
>> >>   I know I can change these rules’ Source and destination Address one
>> >> by one. But it’s too hard if the number of the rules is very large.
>> >>   I want to known whether I can simply set a configure file like
>> >> following to do this thing. Or can some external plug-in module do this job?
>> >>
>> >> The first is ip. The following is the sid should exclude for the ip.
>> >> 192.168.0.10    2000001,2000002-2000005,2000006
>> >> 192.168.0.0/24 2000007,2000008
>>
>>
>> You're probably looking for a threadhold configuration. In
>> /etc/suricata/threshold.config set :
>> suppress gen_id 1, sig_id 2000001, track by_dst, ip 192.168.0.10
>> suppress gen_id 1, sig_id 2000002, track by_dst, ip 192.168.0.10
>> ...
>> (and so on)
>>
>> In the suricata.yaml:
>> # You can specify a threshold config file by setting "threshold-file"
>> # to the path of the threshold config file:
>> threshold-file: /etc/suricata/threshold.config
>>
>>
>> Documentation about these rules can be found here:
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
>>
>>
>>
>>
>>
>> >> Thanks.
>> >>
>> >> 2012/10/17 Peter Manev <petermanev at gmail.com>
>> >>>
>> >>> Hi,
>> >>>
>> >>> What is your home net variable ?
>> >>> and could you share the rule?
>> >>>
>> >>> thank you
>> >>>
>> >>> On Wed, Oct 17, 2012 at 5:09 AM, 郑博文 <anshuitian at gmail.com> wrote:
>> >>>>
>> >>>> I'm sorry, the picture is bad.
>> >>>>
>> >>>>
>> >>>>
>> >>>> 2012/10/17 郑博文 <anshuitian at gmail.com>
>> >>>>>
>> >>>>> Hello everybody:
>> >>>>>     I recently learned suricata. now, I using suricata by IPS mode
>> >>>>> to protect two servers (192.168.0.10 and 192.168.0.11), but I want to set
>> >>>>> rule that id is 200,001 doesn't works to 192.168.0.10, but works to
>> >>>>> 192.168.0.11. What should I do?  If there are many rules like 200,001, What
>> >>>>> should I do?
>> >>>>>
>> >>>>>     There is my topology:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>     Thanks very much!
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Oisf-users mailing list
>> >>>> Oisf-users at openinfosecfoundation.org
>> >>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Regards,
>> >>> Peter Manev
>> >>>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Oisf-users mailing list
>> > Oisf-users at openinfosecfoundation.org
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list