[Oisf-users] How do you ignore External IP Addresses?

Shirkdog shirkdog at gmail.com
Fri Jun 20 18:46:06 UTC 2014


You can use a tool like pulled pork, which will allow you to modify
signatures when you update them. This allows for minor false positive
issues to be addressed.

https://code.google.com/p/pulledpork/

---
Michael Shirk


On Fri, Jun 20, 2014 at 12:23 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> I am trying to avoid customizing a standard signature because updating becomes problematic then.
>
> ----- Original Message -----
> From: Darien Huss [mailto:dhuss at emergingthreats.net]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
> Cc: oisf-users at openinfosecfoundation.org
> Sent: Fri, 20 Jun 2014 06:59:49 -0500
> Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
>
>
>> Without seeing the traffic I'm not sure if this would be reliable, but you
>> could possibly add something like this to that rule if the test webpage
>> occurs on the same domain every time:
>>
>> content:!"trustedvendor.com"; http_header;
>>
>> If their IP address were to change but the domain stays the same the above
>> would still work.
>>
>> Regards,
>>
>> Darien
>>
>>
>> On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <ljacobs at netsecuris.com>
>> wrote:
>>
>> > I want to be able to ignore some External source IP addresses in
>> > signatures. Can I list them in suricata.yaml with a ! in front of them.
>> > Like:
>> >
>> >
>> >
>> > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
>> >
>> >
>> >
>> > I have a trusted vendor that is causing false positives because they
>> > refuse to change a numeric string in what they are sending in a test web
>> > page so it is triggering a Trojan signature. I want to ignore their
>> > traffic. I know that is dangerous if they were really used as an attack
>> > vector into my network.
>> >
>> >
>> >
>> > Any suggestions?
>> >
>> >
>> >
>> > Leonard
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>> >
>>
>
>
> Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P 952-641-1421 ext. 20http://www.netsecuris.com
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



More information about the Oisf-users mailing list