[Oisf-users] Negative in the HOME_NET variable

Anoop Saldanha anoopsaldanha at gmail.com
Fri Jan 10 02:44:22 UTC 2014 

On Fri, Jan 10, 2014 at 2:45 AM, Michael McAndrews <michaelm14 at gmail.com> wrote:
> Hello all,
>
> I'm new to the list so I apologize if this is already out there but
> nothing popped on Google....
>
> I'm running Suricata and encountered an issue when modifying the
> HOME_NET variable. I want to exclude a particular IP address from a CIDR
> defined network. For example, in HOME_NET I have defined 192.168.0.0/16.
> If I want to EXCLUDE the 192.168.14.0 subnet, the documentation I found
> said it would noted as follows:
>
> HOME_NET:       [192.168.0.0/16,!192.168.14.0/24]
>
> If I DO NOT have the negative in my Suricata.yaml file, it loads in seconds:
>
> --------------------------------------------------------------------
> Jan  9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> - 8641
> signatures processed. 704 are IP-only rules, 3688 are inspecting packet
> payload, 4896 inspect application layer, 0 are decoder event only
> Jan  9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> -
> building signature grouping structure, stage 1: adding signatures to
> signature source addresses... complete
> Jan  9 20:33:04 IDS_GW suricata: 9/1/2014 -- 20:33:04 - <Info> -
> building signature grouping structure, stage 2: building source address
> list... complete
> Jan  9 20:33:11 IDS_GW suricata: 9/1/2014 -- 20:33:11 - <Info> -
> building signature grouping structure, stage 3: building destination
> address lists... complete
> ---------------------------------------------------------------------
>
> The problem is, when I add the negative to the variable, it takes over
> 40 minutes for Suricata to load and start inspecting traffic.
>
> From the logs, I can tell it hangs after stage 1. Notice the times:
>
> ---------------------------------------------------------------------
> 9/1/2014 -- 20:23:29 - <Info> - building signature grouping structure,
> stage 1: adding signatures to signature source addresses... complete
> 9/1/2014 -- 20:53:39 - <Info> - building signature grouping structure,
> stage 2: building source address list... complete
> 9/1/2014 -- 21:10:09 - <Info> - building signature grouping structure,
> stage 3: building destination address lists... complete
> ---------------------------------------------------------------------
>
> Has anyone else seen this behavior or have a way to remove a subset of
> addresses from a network?
>

I tried the above by loading a rule that uses the HOME_NET you
specificed, and it loaded instantly.

Which version of suricata are you using?
How many rules are you loading?

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-users mailing list