[Oisf-users] Negative in the HOME_NET variable

Michael McAndrews michaelm14 at gmail.com
Thu Jan 9 21:15:09 UTC 2014 

Hello all,

I'm new to the list so I apologize if this is already out there but
nothing popped on Google....

I'm running Suricata and encountered an issue when modifying the
HOME_NET variable. I want to exclude a particular IP address from a CIDR
defined network. For example, in HOME_NET I have defined 192.168.0.0/16.
If I want to EXCLUDE the 192.168.14.0 subnet, the documentation I found
said it would noted as follows:

HOME_NET: 	[192.168.0.0/16,!192.168.14.0/24]

If I DO NOT have the negative in my Suricata.yaml file, it loads in seconds:

--------------------------------------------------------------------
Jan  9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> - 8641
signatures processed. 704 are IP-only rules, 3688 are inspecting packet
payload, 4896 inspect application layer, 0 are decoder event only
Jan  9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> -
building signature grouping structure, stage 1: adding signatures to
signature source addresses... complete
Jan  9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> -
building signature grouping structure, stage 2: building source address
list... complete
Jan  9 20:33:11 IDS_GW suricata: 9/1/2014 -- 20:33:11 - <Info> -
building signature grouping structure, stage 3: building destination
address lists... complete
---------------------------------------------------------------------

The problem is, when I add the negative to the variable, it takes over
40 minutes for Suricata to load and start inspecting traffic.

>From the logs, I can tell it hangs after stage 1. Notice the times:

---------------------------------------------------------------------
9/1/2014 -- 20:23:29 - <Info> - building signature grouping structure,
stage 1: adding signatures to signature source addresses... complete
9/1/2014 -- 20:53:39 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
9/1/2014 -- 21:10:09 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
---------------------------------------------------------------------

Has anyone else seen this behavior or have a way to remove a subset of
addresses from a network?

Thanks in advance!

More information about the Oisf-users mailing list