[Oisf-users] How do you ignore External IP Addresses?

Sat Jun 21 20:02:45 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looking at your original query, if you just want to ignore all their
traffic use a bpf filter either on the command line, a filter file or in
the suricata.yaml config.  It would look this (for example):

not (host IP1 or IP2 or IP3 or net NET/24)

That will drop all traffic for those hosts.

If you want to use pass rules, you need to copy the standard rule to a
new rule with a new sid, change "alert" to "pass" and then add the
IPs/networks to the rule.  Make you sure you enable the rules file (e.g.
pass.rules) in your suricata.yaml file.

- -Coop

On 6/20/2014 5:54 PM, Leonard Jacobs wrote:
> Thanks Coop.  That6 makes a lot of sense.  They gave us 8 IPs plus a
> range. How would you suggest handling that many IPs?
> 
> How does the pass rule work when we still need the standard signature
> to still function for all other IP addresses not associated with this
> vendor?
> 
> -----Original Message----- From: Cooper F. Nelson
> [mailto:cnelson at ucsd.edu] Sent: Friday, June 20, 2014 1:00 PM To:
> Leonard Jacobs; oisf-users at openinfosecfoundation.org Subject: Re:
> [Oisf-users] How do you ignore External IP Addresses?
> 
> You want to use a 'pass' rule, they look like this and will prevent
> suricata from further processing the stream:
> 
>> pass http any any -> any any (content:"foo.com"; http_host;
>> sid:100; rev:1;)
> 
> In your case, just copy the sigs that are triggering false positives
> to new sids, change 'alert' to 'pass' and then add the vendors src
> net to that rule.
> 
> You can also simply ignore all their traffic with a bpf filter.  Just
> add 'not src net x.x.x.x/16' to the end of the command line when you
> start suricata.
> 
> -Coop
> 
> On 6/20/2014 4:24 AM, Leonard Jacobs wrote:
>> I want to be able to ignore some External source IP addresses in 
>> signatures. Can I list them in suricata.yaml with a ! in front of
>> them. Like:
> 
> 
> 
>> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> 
> 
> 
>> I have a trusted vendor that is causing false positives because
>> they refuse to change a numeric string in what they are sending in
>> a test web page so it is triggering a Trojan signature. I want to
>> ignore their traffic. I know that is dangerous if they were really
>> used as an attack vector into my network.
> 
> 
> 
>> Any suggestions?
> 
> 
> 
>> Leonard
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> _______________________________________________ Suricata IDS Users
>> mailing list: oisf-users at openinfosecfoundation.org Site:
>> http://suricata-ids.org | Support: 
>> http://suricata-ids.org/support/ List: 
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> 
OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTpeTlAAoJEKIFRYQsa8FW7QkIAJV6Fm0+vLZRVvzkvhX/jYGA
RKZUhgRXR5aeFpo/UWRsTpD2bqy9iHwZJgDlOaYLC8SzdtQ6PDmc/duVCobWXy21
C+l2mfyQO2EWIX51zWCFVmWdDIrMdbBKQ5sIkIEPZEpyKZyUWj749HR+I2hV3Tx7
l198a4/Yo8+eDhLwefu1W+pmvjVMs9aDbHZol9gIaYBA1+40hFXwUZfMLdcw/h5Y
tZEkq4Xtf8zBi4Rq3l8u5o2SVNcG5LYSzOZ3UQXkiXWsExw/aHGdCOxtYNIV0qMx
w2Lomu//aImHGLfQhUSxzAt4OD2R+2flsDEs9pVP+tn9g1y2Ha/UnXWYTomBGQg=
=eX+n
-----END PGP SIGNATURE-----