[Oisf-users] Ignore ips in rule

Xavier Romero XRomero at nexica.com
Thu Aug 28 10:50:07 UTC 2014


You're right. Another user pointed me in the right direction by suggesting to put in first the negated range:

Which also worked OK. I guess than removing the $EXTERNAL_NET would be better for performance.

Thank you very much,
Xavier Romero

De: Matt Carothers [mailto:matt at somedamn.com]
Enviado el: dimecres, 27 d'agost de 2014 17:11
Para: Xavier Romero; oisf-users at lists.openinfosecfoundation.org
Asunto: RE: [Oisf-users] Ignore ips in rule

$EXTERNAL_NET is every IP that isn't in your $HOME_NET, and that includes the Google DNS servers.  It's like saying [,!], which matches both and every IP that isn't, so it's always a true condition.  You can fix it just by removing the $EXTERNAL_NET, unless your sensor is positioned where it would see port 53 traffic between internal hosts.  If that's the case, you can exclude particular IPs by putting a pass rule ahead of the alert rule.

- Matt

From: oisf-users-bounces at lists.openinfosecfoundation.org<mailto:oisf-users-bounces at lists.openinfosecfoundation.org> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Xavier Romero
Sent: Wednesday, August 27, 2014 4:40 AM
To: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: [Oisf-users] Ignore ips in rule


I've this custom rule:

alert udp [$EXTERNAL_NET,!$GOOGLE_DNS] 53 -> [$HOME_NET,!$DNS_SERVERS] any (msg:"Possible atac DNS"; threshold: type both, track by_dst, count 600, seconds 60; classtype:attempted-dos; sid:101111009; rev:5;)

And this definition on suricata.yaml:

# Holds variables that would be used by the engine.

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.

    HOME_NET: "[x.x.x.x/24]"

    GOOGLE_DNS: "[,]"





    DNS_SERVERS: "[a.a.a.a,b.b.b.b,c.c.c.c,d.d.d.d]"


However, there are alerts like these:
08/27/2014-10:33:37.344581  [**] [1:101111009:5] Possible atac DNS [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} -> a.b.c.d:52721
08/27/2014-10:33:48.511591  [**] [1:101111009:5] Possible atac DNS [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} -> a.b.c.d:35899

I'm expecting to totally ignore packets whith IP source What I'm doing wrong?

I've also tried
Instead of:
With the same result.

Each time I modify the rule, I increment REV number and restart suricata.

Thank you very much,
Xavier Romero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140828/6abcfaa4/attachment-0002.html>

More information about the Oisf-users mailing list