[Oisf-users] How do you ignore External IP Addresses?

Leonard Jacobs ljacobs at netsecuris.com
Fri Jun 20 11:24:04 UTC 2014

I want to be able to ignore some External source IP addresses in signatures. Can I list them in suricata.yaml with a ! in front of them. Like:
EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
I have a trusted vendor that is causing false positives because they refuse to change a numeric string in what they are sending in a test web page so it is triggering a Trojan signature. I want to ignore their traffic. I know that is dangerous if they were really used as an attack vector into my network.
Any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140620/6c7c4f72/attachment.html>

More information about the Oisf-users mailing list