[Oisf-users] How do you ignore External IP Addresses?
Leonard Jacobs
ljacobs at netsecuris.com
Sun Jun 22 15:56:08 UTC 2014
If I do a pass rule, will the standard drop rule ignore the IPs of the vendor?
-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
Sent: Saturday, June 21, 2014 3:03 PM
To: Leonard Jacobs; oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Looking at your original query, if you just want to ignore all their traffic use a bpf filter either on the command line, a filter file or in the suricata.yaml config. It would look this (for example):
not (host IP1 or IP2 or IP3 or net NET/24)
That will drop all traffic for those hosts.
If you want to use pass rules, you need to copy the standard rule to a new rule with a new sid, change "alert" to "pass" and then add the IPs/networks to the rule. Make you sure you enable the rules file (e.g.
pass.rules) in your suricata.yaml file.
- -Coop
On 6/20/2014 5:54 PM, Leonard Jacobs wrote:
> Thanks Coop. That6 makes a lot of sense. They gave us 8 IPs plus a
> range. How would you suggest handling that many IPs?
>
> How does the pass rule work when we still need the standard signature
> to still function for all other IP addresses not associated with this
> vendor?
>
> -----Original Message----- From: Cooper F. Nelson
> [mailto:cnelson at ucsd.edu] Sent: Friday, June 20, 2014 1:00 PM To:
> Leonard Jacobs; oisf-users at openinfosecfoundation.org Subject: Re:
> [Oisf-users] How do you ignore External IP Addresses?
>
> You want to use a 'pass' rule, they look like this and will prevent
> suricata from further processing the stream:
>
>> pass http any any -> any any (content:"foo.com"; http_host; sid:100;
>> rev:1;)
>
> In your case, just copy the sigs that are triggering false positives
> to new sids, change 'alert' to 'pass' and then add the vendors src net
> to that rule.
>
> You can also simply ignore all their traffic with a bpf filter. Just
> add 'not src net x.x.x.x/16' to the end of the command line when you
> start suricata.
>
> -Coop
>
> On 6/20/2014 4:24 AM, Leonard Jacobs wrote:
>> I want to be able to ignore some External source IP addresses in
>> signatures. Can I list them in suricata.yaml with a ! in front of
>> them. Like:
>
>
>
>> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]" for example.
>
>
>
>> I have a trusted vendor that is causing false positives because they
>> refuse to change a numeric string in what they are sending in a test
>> web page so it is triggering a Trojan signature. I want to ignore
>> their traffic. I know that is dangerous if they were really used as
>> an attack vector into my network.
>
>
>
>> Any suggestions?
>
>
>
>> Leonard
>
>
>
>
>
>
>
>
>
>> _______________________________________________ Suricata IDS Users
>> mailing list: oisf-users at openinfosecfoundation.org Site:
>> http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/ List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
OISF: http://www.openinfosecfoundation.org/
>
>
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTpeTlAAoJEKIFRYQsa8FW7QkIAJV6Fm0+vLZRVvzkvhX/jYGA
RKZUhgRXR5aeFpo/UWRsTpD2bqy9iHwZJgDlOaYLC8SzdtQ6PDmc/duVCobWXy21
C+l2mfyQO2EWIX51zWCFVmWdDIrMdbBKQ5sIkIEPZEpyKZyUWj749HR+I2hV3Tx7
l198a4/Yo8+eDhLwefu1W+pmvjVMs9aDbHZol9gIaYBA1+40hFXwUZfMLdcw/h5Y
tZEkq4Xtf8zBi4Rq3l8u5o2SVNcG5LYSzOZ3UQXkiXWsExw/aHGdCOxtYNIV0qMx
w2Lomu//aImHGLfQhUSxzAt4OD2R+2flsDEs9pVP+tn9g1y2Ha/UnXWYTomBGQg=
=eX+n
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list