[Oisf-users] Supressing rules by http host name, best method?

Jay M. jskier at gmail.com
Tue Dec 9 16:15:56 UTC 2014


May have spoke a little too soon. The pass rule seems to work for
passing host and agent keyword based alerts where source or dest IP is
singular <> external net just fine. However I found a few simpler pass
rules I created using CIDR notation do not work. In fact, going to a
source of a single IP and any any dest do not work, I'm still getting
alerts.

This is what is not working:
pass ip Trustedsrc_IP any <> any any (msg:"Pass this ip test"; sid: 8000020;)
pass ip Trustedsrc_Network any <> any any (msg:"Pass this net test";
sid: 8000021;)

Or when destination is HOME_NET any, it still will not skip the alert.
The alert rule in question is tcp, certificate exchange (specifically
tcp rule for POODLE client inbound signature). Looking at the rule
itself, I don't believe that is the problem. Also, my config has pass
at the top of the chain, and the pass rule file is referenced (as well
as the http ones confirmed working).

I'll probably add these to threshold config for the time being, which
does work. Should I submit a bug report for this? I didn't seem to see
anything related to this issue yet. Versions I see impacted: 2.1beta1
and 2.1beta2.

Regards,
--
Jay
jskier at gmail.com


On Fri, Dec 5, 2014 at 8:57 AM, Jay M. <jskier at gmail.com> wrote:
> Neat, thanks, I missed that in the docs. I should be able to tune it
> down even further than this by throwing in more content values, but
> I'll start here for testing (slightly obfuscated):
>
> pass http proxyip any -> $EXTERNAL_NET 80 (msg:"Pass ocsp Verisgn
> traffic"; content:"ocsp.verisign.com"; http_host; sid:#;)
> --
> Jay
> jskier at gmail.com
>
>
> On Fri, Dec 5, 2014 at 7:49 AM, Victor Julien <lists at inliniac.net> wrote:
>> On 12/05/2014 02:37 PM, Jay M. wrote:
>>> I hope this is the correct place to ask this. I'm trying to suppress a
>>> rule I created by http host name. I prefer to use IPs however this
>>> particular host name uses several dynamic IPs in Akamai cloud, so
>>> supressing an ever growing list of IPs on that network is not
>>> something I want to do.
>>>
>>> I don't see any options for track by hostname in the threshold.conf
>>> documentation, so I assume (please correct me if I'm mistaken) that
>>> this is not an option? My next thought was to do a pcre rule, however
>>> I'm open to other suggestions if they exist.
>>
>> If you're okay with ignoring/suppressing all rules for that host, you
>> could use a pass rule:
>>
>> pass http any any -> any any(content:"yourhostnametoignore"; http_host;
>> sid:12345;)
>>
>> See also:
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list