[Oisf-users] How do you ignore External IP Addresses?

[Leonard Jacobs]

I am trying to avoid customizing a standard signature because updating becomes problematic then.

----- Original Message -----
From: Darien Huss [mailto:dhuss at emergingthreats.net]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
Cc: oisf-users at openinfosecfoundation.org
Sent: Fri, 20 Jun 2014 06:59:49 -0500
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?


> Without seeing the traffic I'm not sure if this would be reliable, but you
> could possibly add something like this to that rule if the test webpage
> occurs on the same domain every time:
> 
> content:!"trustedvendor.com"; http_header;
> 
> If their IP address were to change but the domain stays the same the above
> would still work.
> 
> Regards,
> 
> Darien
> 
> 
> On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
> 
> > I want to be able to ignore some External source IP addresses in
> > signatures. Can I list them in suricata.yaml with a ! in front of them.
> > Like:
> >
> >
> >
> > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> >
> >
> >
> > I have a trusted vendor that is causing false positives because they
> > refuse to change a numeric string in what they are sending in a test web
> > page so it is triggering a Trojan signature. I want to ignore their
> > traffic. I know that is dangerous if they were really used as an attack
> > vector into my network.
> >
> >
> >
> > Any suggestions?
> >
> >
> >
> > Leonard
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> 


Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P 952-641-1421 ext. 20http://www.netsecuris.com