[Oisf-users] How do you ignore External IP Addresses?

Leonard Jacobs ljacobs at netsecuris.com
Sat Jun 21 00:54:01 UTC 2014

Thanks Coop.  That6 makes a lot of sense.  They gave us 8 IPs plus a range. How would you suggest handling that many IPs?

How does the pass rule work when we still need the standard signature to still function for all other IP addresses not associated with this vendor?

-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
Sent: Friday, June 20, 2014 1:00 PM
To: Leonard Jacobs; oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?

Hash: SHA1

You want to use a 'pass' rule, they look like this and will prevent suricata from further processing the stream:

> pass http any any -> any any (content:"foo.com"; http_host; sid:100; 
> rev:1;)

In your case, just copy the sigs that are triggering false positives to new sids, change 'alert' to 'pass' and then add the vendors src net to that rule.

You can also simply ignore all their traffic with a bpf filter.  Just add 'not src net x.x.x.x/16' to the end of the command line when you start suricata.

- -Coop

On 6/20/2014 4:24 AM, Leonard Jacobs wrote:
> I want to be able to ignore some External source IP addresses in 
> signatures. Can I list them in suricata.yaml with a ! in front of them.
> Like:
> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> I have a trusted vendor that is causing false positives because they 
> refuse to change a numeric string in what they are sending in a test 
> web page so it is triggering a Trojan signature. I want to ignore 
> their traffic. I know that is dangerous if they were really used as an 
> attack vector into my network.
> Any suggestions?
> Leonard
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list