[Oisf-users] How do you ignore External IP Addresses?
Darien Huss
dhuss at emergingthreats.net
Fri Jun 20 11:59:49 UTC 2014
Without seeing the traffic I'm not sure if this would be reliable, but you
could possibly add something like this to that rule if the test webpage
occurs on the same domain every time:
content:!"trustedvendor.com"; http_header;
If their IP address were to change but the domain stays the same the above
would still work.
Regards,
Darien
On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <ljacobs at netsecuris.com>
wrote:
> I want to be able to ignore some External source IP addresses in
> signatures. Can I list them in suricata.yaml with a ! in front of them.
> Like:
>
>
>
> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]" for example.
>
>
>
> I have a trusted vendor that is causing false positives because they
> refuse to change a numeric string in what they are sending in a test web
> page so it is triggering a Trojan signature. I want to ignore their
> traffic. I know that is dangerous if they were really used as an attack
> vector into my network.
>
>
>
> Any suggestions?
>
>
>
> Leonard
>
>
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140620/db704e46/attachment-0002.html>
More information about the Oisf-users
mailing list