[Oisf-users] How do you ignore External IP Addresses?

Cooper F. Nelson cnelson at ucsd.edu
Sun Jun 22 17:02:06 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pass rules are processed first and if they match a stream it's not
processed any further.  No alert rules are run.

Another solution would be to look at the packet capture and write an
oinkmaster rule to modify the sig to ignore the packet at the
application layer.  Something like this should work:

content:!"string"

... where string is something unique about that particular traffic.  If
its all going to a specific web app you could use a http rule to match
the host header.

On 6/22/2014 8:56 AM, Leonard Jacobs wrote:
> If I do a pass rule, will the standard drop rule ignore the IPs of the vendor?
> 
> -----Original Message-----
> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
> Sent: Saturday, June 21, 2014 3:03 PM
> To: Leonard Jacobs; oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
> 
> Looking at your original query, if you just want to ignore all their traffic use a bpf filter either on the command line, a filter file or in the suricata.yaml config.  It would look this (for example):
> 
> not (host IP1 or IP2 or IP3 or net NET/24)
> 
> That will drop all traffic for those hosts.
> 
> If you want to use pass rules, you need to copy the standard rule to a new rule with a new sid, change "alert" to "pass" and then add the IPs/networks to the rule.  Make you sure you enable the rules file (e.g.
> pass.rules) in your suricata.yaml file.
> 
> -Coop
> 
> On 6/20/2014 5:54 PM, Leonard Jacobs wrote:
>> Thanks Coop.  That6 makes a lot of sense.  They gave us 8 IPs plus a 
>> range. How would you suggest handling that many IPs?
> 
>> How does the pass rule work when we still need the standard signature 
>> to still function for all other IP addresses not associated with this 
>> vendor?
> 
>> -----Original Message----- From: Cooper F. Nelson 
>> [mailto:cnelson at ucsd.edu] Sent: Friday, June 20, 2014 1:00 PM To:
>> Leonard Jacobs; oisf-users at openinfosecfoundation.org Subject: Re:
>> [Oisf-users] How do you ignore External IP Addresses?
> 
>> You want to use a 'pass' rule, they look like this and will prevent 
>> suricata from further processing the stream:
> 
>>> pass http any any -> any any (content:"foo.com"; http_host; sid:100; 
>>> rev:1;)
> 
>> In your case, just copy the sigs that are triggering false positives 
>> to new sids, change 'alert' to 'pass' and then add the vendors src net 
>> to that rule.
> 
>> You can also simply ignore all their traffic with a bpf filter.  Just 
>> add 'not src net x.x.x.x/16' to the end of the command line when you 
>> start suricata.
> 
>> -Coop
> 
>> On 6/20/2014 4:24 AM, Leonard Jacobs wrote:
>>> I want to be able to ignore some External source IP addresses in 
>>> signatures. Can I list them in suricata.yaml with a ! in front of 
>>> them. Like:
> 
> 
> 
>>> EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> 
> 
> 
>>> I have a trusted vendor that is causing false positives because they 
>>> refuse to change a numeric string in what they are sending in a test 
>>> web page so it is triggering a Trojan signature. I want to ignore 
>>> their traffic. I know that is dangerous if they were really used as 
>>> an attack vector into my network.
> 
> 
> 
>>> Any suggestions?
> 
> 
> 
>>> Leonard
> 
> 
> 
> 
> 
> 
> 
> 
> 
>>> _______________________________________________ Suricata IDS Users 
>>> mailing list: oisf-users at openinfosecfoundation.org Site:
>>> http://suricata-ids.org | Support: 
>>> http://suricata-ids.org/support/ List: 
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
> OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> 
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTpwwOAAoJEKIFRYQsa8FWS9cH/RD6ujW/U0OOjdbtVaulMJuw
pzMYoYQCQnwViK4Ro4bk7+G+DZ5mM6ncr34CHjHuIIIw8ACWX2OzefYGqg2wdIEz
baxAx71bqk+zqgRV5yC7vC3W/k1LkHeubzKLWInFK/4LQZVs/8Qei0e9ErZMWrSX
K7DF7QQcLFBnhR9B6qOLoqNmWtx5IZQGTOAROP5yRN0yTZHRplJqOKZ5XSkBEsYp
egf78TEnmB4cBU2LXRB+4wthmpmSRqaFhNIQ9CTKnwL40HG1wtB9fwR06npSN/BH
MJG/pRe2spV/tXERigQX07NBfrQV1kOYCBEs8l+3KncczoBHumek7T6MG4YJzXI=
=NdmR
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list