[Oisf-users] How do you ignore External IP Addresses?

Leonard Jacobs ljacobs at netsecuris.com
Sat Jun 21 00:45:41 UTC 2014


We use Oinkmaster right now for updates. But I still don't know how we can use the 8 vendor IPs and one range in the signature.

-----Original Message-----
From: Shirkdog [mailto:shirkdog at gmail.com] 
Sent: Friday, June 20, 2014 1:46 PM
To: Leonard Jacobs
Cc: Darien Huss; oisf-users
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?

You can use a tool like pulled pork, which will allow you to modify signatures when you update them. This allows for minor false positive issues to be addressed.

https://code.google.com/p/pulledpork/

---
Michael Shirk


On Fri, Jun 20, 2014 at 12:23 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> I am trying to avoid customizing a standard signature because updating becomes problematic then.
>
> ----- Original Message -----
> From: Darien Huss [mailto:dhuss at emergingthreats.net]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
> Cc: oisf-users at openinfosecfoundation.org
> Sent: Fri, 20 Jun 2014 06:59:49 -0500
> Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
>
>
>> Without seeing the traffic I'm not sure if this would be reliable, 
>> but you could possibly add something like this to that rule if the 
>> test webpage occurs on the same domain every time:
>>
>> content:!"trustedvendor.com"; http_header;
>>
>> If their IP address were to change but the domain stays the same the 
>> above would still work.
>>
>> Regards,
>>
>> Darien
>>
>>
>> On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs 
>> <ljacobs at netsecuris.com>
>> wrote:
>>
>> > I want to be able to ignore some External source IP addresses in 
>> > signatures. Can I list them in suricata.yaml with a ! in front of them.
>> > Like:
>> >
>> >
>> >
>> > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
>> >
>> >
>> >
>> > I have a trusted vendor that is causing false positives because 
>> > they refuse to change a numeric string in what they are sending in 
>> > a test web page so it is triggering a Trojan signature. I want to 
>> > ignore their traffic. I know that is dangerous if they were really 
>> > used as an attack vector into my network.
>> >
>> >
>> >
>> > Any suggestions?
>> >
>> >
>> >
>> > Leonard
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: 
>> > oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support: 
>> > http://suricata-ids.org/support/
>> > List: 
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>> >
>>
>
>
> Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P 
> 952-641-1421 ext. 20http://www.netsecuris.com 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/




More information about the Oisf-users mailing list