[Oisf-users] How do you ignore External IP Addresses?

Fri Jun 20 18:06:16 UTC 2014

You could also add the IP Ranges that you want to ignore to the $HOME_NET
variable...

$HOME_NET = [10.0.0.0/16, 192.168.1.0/24, 8.8.8.8/32]

Or something like that to make it ignore the servers that you don't want to
monitor traffic from.

On Fri, Jun 20, 2014 at 12:23 PM, Leonard Jacobs <ljacobs at netsecuris.com>
wrote:

> I am trying to avoid customizing a standard signature because updating
> becomes problematic then.
>
> ----- Original Message -----
> From: Darien Huss [mailto:dhuss at emergingthreats.net]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
> Cc: oisf-users at openinfosecfoundation.org
> Sent: Fri, 20 Jun 2014 06:59:49 -0500
> Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
>
>
> > Without seeing the traffic I'm not sure if this would be reliable, but
> you
> > could possibly add something like this to that rule if the test webpage
> > occurs on the same domain every time:
> >
> > content:!"trustedvendor.com"; http_header;
> >
> > If their IP address were to change but the domain stays the same the
> above
> > would still work.
> >
> > Regards,
> >
> > Darien
> >
> >
> > On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <ljacobs at netsecuris.com>
> > wrote:
> >
> > > I want to be able to ignore some External source IP addresses in
> > > signatures. Can I list them in suricata.yaml with a ! in front of them.
> > > Like:
> > >
> > >
> > >
> > > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> > >
> > >
> > >
> > > I have a trusted vendor that is causing false positives because they
> > > refuse to change a numeric string in what they are sending in a test
> web
> > > page so it is triggering a Trojan signature. I want to ignore their
> > > traffic. I know that is dangerous if they were really used as an attack
> > > vector into my network.
> > >
> > >
> > >
> > > Any suggestions?
> > >
> > >
> > >
> > > Leonard
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > OISF: http://www.openinfosecfoundation.org/
> > >
> >
>
>
> Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P 952-641-1421
> ext. 20http://www.netsecuris.com
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>

-- 
~Brant Wells
Network Administrator
Toccoa Falls College
107 Kincaid Drive Toccoa Falls, GA 30598
706-886-7299 x5346 * bwells at tfc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140620/db27774e/attachment-0002.html>