[Oisf-users] How do you ignore External IP Addresses?

Cooper F. Nelson cnelson at ucsd.edu
Fri Jun 20 18:00:29 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You want to use a 'pass' rule, they look like this and will prevent
suricata from further processing the stream:

> pass http any any -> any any (content:"foo.com"; http_host; sid:100; rev:1;)

In your case, just copy the sigs that are triggering false positives to
new sids, change 'alert' to 'pass' and then add the vendors src net to
that rule.

You can also simply ignore all their traffic with a bpf filter.  Just
add 'not src net x.x.x.x/16' to the end of the command line when you
start suricata.

- -Coop

On 6/20/2014 4:24 AM, Leonard Jacobs wrote:
> I want to be able to ignore some External source IP addresses in
> signatures. Can I list them in suricata.yaml with a ! in front of them.
> Like:
> 
>  
> 
> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> 
>  
> 
> I have a trusted vendor that is causing false positives because they
> refuse to change a numeric string in what they are sending in a test web
> page so it is triggering a Trojan signature. I want to ignore their
> traffic. I know that is dangerous if they were really used as an attack
> vector into my network.
> 
>  
> 
> Any suggestions?
> 
>  
> 
> Leonard
> 
>  
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTpHa9AAoJEKIFRYQsa8FWWtUIAM2zKHbbVOcpvVuB+1onV3D3
MeGLQbNc8DPuWbqTKjzQfDyxT8Wc0f8sjDfeugpKhDS9OCukeiXntn7ncSMccqqy
5S4kBh/5a83hrO1oZAcZsbdXT2Y691Ofaf0HxTiYYMVpIR/mnZNuJVslpkENsbK0
7z06jDvu+JB+wEZiah8DVpeiNjiqg4WvPLkFX+TXEySuv1/Vacq9mrS0hBgDtlCU
Ig00LSdE41nLtxQ0BjEOmhk7vBp+6lP5TbhtCeJJaOGW0y1AD4oV22UUgO5Ni8lX
xOzNFZvSdlri/iryEOeiVm/7FnOCPVT/N8BUZrEmS43WsRJgGVc856Ft8kFMtBU=
=UT7B
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list