[Oisf-users] How do you ignore External IP Addresses?

Leonard Jacobs ljacobs at netsecuris.com
Sun Jun 22 15:56:08 UTC 2014


If I do a pass rule, will the standard drop rule ignore the IPs of the vendor?

-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
Sent: Saturday, June 21, 2014 3:03 PM
To: Leonard Jacobs; oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looking at your original query, if you just want to ignore all their traffic use a bpf filter either on the command line, a filter file or in the suricata.yaml config.  It would look this (for example):

not (host IP1 or IP2 or IP3 or net NET/24)

That will drop all traffic for those hosts.

If you want to use pass rules, you need to copy the standard rule to a new rule with a new sid, change "alert" to "pass" and then add the IPs/networks to the rule.  Make you sure you enable the rules file (e.g.
pass.rules) in your suricata.yaml file.

- -Coop

On 6/20/2014 5:54 PM, Leonard Jacobs wrote:
> Thanks Coop.  That6 makes a lot of sense.  They gave us 8 IPs plus a 
> range. How would you suggest handling that many IPs?
> 
> How does the pass rule work when we still need the standard signature 
> to still function for all other IP addresses not associated with this 
> vendor?
> 
> -----Original Message----- From: Cooper F. Nelson 
> [mailto:cnelson at ucsd.edu] Sent: Friday, June 20, 2014 1:00 PM To:
> Leonard Jacobs; oisf-users at openinfosecfoundation.org Subject: Re:
> [Oisf-users] How do you ignore External IP Addresses?
> 
> You want to use a 'pass' rule, they look like this and will prevent 
> suricata from further processing the stream:
> 
>> pass http any any -> any any (content:"foo.com"; http_host; sid:100; 
>> rev:1;)
> 
> In your case, just copy the sigs that are triggering false positives 
> to new sids, change 'alert' to 'pass' and then add the vendors src net 
> to that rule.
> 
> You can also simply ignore all their traffic with a bpf filter.  Just 
> add 'not src net x.x.x.x/16' to the end of the command line when you 
> start suricata.
> 
> -Coop
> 
> On 6/20/2014 4:24 AM, Leonard Jacobs wrote:
>> I want to be able to ignore some External source IP addresses in 
>> signatures. Can I list them in suricata.yaml with a ! in front of 
>> them. Like:
> 
> 
> 
>> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> 
> 
> 
>> I have a trusted vendor that is causing false positives because they 
>> refuse to change a numeric string in what they are sending in a test 
>> web page so it is triggering a Trojan signature. I want to ignore 
>> their traffic. I know that is dangerous if they were really used as 
>> an attack vector into my network.
> 
> 
> 
>> Any suggestions?
> 
> 
> 
>> Leonard
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> _______________________________________________ Suricata IDS Users 
>> mailing list: oisf-users at openinfosecfoundation.org Site:
>> http://suricata-ids.org | Support: 
>> http://suricata-ids.org/support/ List: 
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> 
OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> 

- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTpeTlAAoJEKIFRYQsa8FW7QkIAJV6Fm0+vLZRVvzkvhX/jYGA
RKZUhgRXR5aeFpo/UWRsTpD2bqy9iHwZJgDlOaYLC8SzdtQ6PDmc/duVCobWXy21
C+l2mfyQO2EWIX51zWCFVmWdDIrMdbBKQ5sIkIEPZEpyKZyUWj749HR+I2hV3Tx7
l198a4/Yo8+eDhLwefu1W+pmvjVMs9aDbHZol9gIaYBA1+40hFXwUZfMLdcw/h5Y
tZEkq4Xtf8zBi4Rq3l8u5o2SVNcG5LYSzOZ3UQXkiXWsExw/aHGdCOxtYNIV0qMx
w2Lomu//aImHGLfQhUSxzAt4OD2R+2flsDEs9pVP+tn9g1y2Ha/UnXWYTomBGQg=
=eX+n
-----END PGP SIGNATURE-----




More information about the Oisf-users mailing list