[Oisf-users] How do you ignore External IP Addresses?

Mon Jun 23 12:25:03 UTC 2014

Hey Leonard,

There's not really much of a difference in doing that.  But it is another
way to skin the cat, so to speak.  I usually put things I want to ignore
(ie: Venor IPs) in the Home_Net, since we generally trust the IP addresses.

Like I said though... Either way *should* work.

~Brant

On Fri, Jun 20, 2014 at 8:48 PM, Leonard Jacobs <ljacobs at netsecuris.com>
wrote:

> What is the difference between that and putting them in $EXTERNAL_NET with
> telling them to not include using a exclamation point in front of IPs?
>
>
>
> *From:* Brant Wells [mailto:bwells at tfc.edu]
> *Sent:* Friday, June 20, 2014 1:06 PM
> *To:* Leonard Jacobs
> *Cc:* Darien Huss; OISF Users
>
> *Subject:* Re: [Oisf-users] How do you ignore External IP Addresses?
>
>
>
> You could also add the IP Ranges that you want to ignore to the $HOME_NET
> variable...
>
>
>
> $HOME_NET = [10.0.0.0/16, 192.168.1.0/24, 8.8.8.8/32]
>
>
>
> Or something like that to make it ignore the servers that you don't want
> to monitor traffic from.
>
>
>
>
>
> On Fri, Jun 20, 2014 at 12:23 PM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>
> I am trying to avoid customizing a standard signature because updating
> becomes problematic then.
>
>
> ----- Original Message -----
> From: Darien Huss [mailto:dhuss at emergingthreats.net]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
> Cc: oisf-users at openinfosecfoundation.org
> Sent: Fri, 20 Jun 2014 06:59:49 -0500
> Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
>
>
> > Without seeing the traffic I'm not sure if this would be reliable, but
> you
> > could possibly add something like this to that rule if the test webpage
> > occurs on the same domain every time:
> >
> > content:!"trustedvendor.com"; http_header;
> >
> > If their IP address were to change but the domain stays the same the
> above
> > would still work.
> >
> > Regards,
> >
> > Darien
> >
> >
> > On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <ljacobs at netsecuris.com>
> > wrote:
> >
> > > I want to be able to ignore some External source IP addresses in
> > > signatures. Can I list them in suricata.yaml with a ! in front of them.
> > > Like:
> > >
> > >
> > >
> > > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
> > >
> > >
> > >
> > > I have a trusted vendor that is causing false positives because they
> > > refuse to change a numeric string in what they are sending in a test
> web
> > > page so it is triggering a Trojan signature. I want to ignore their
> > > traffic. I know that is dangerous if they were really used as an attack
> > > vector into my network.
> > >
> > >
> > >
> > > Any suggestions?
> > >
> > >
> > >
> > > Leonard
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > > OISF: http://www.openinfosecfoundation.org/
> > >
> >
>
> Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P 952-641-1421
> ext. 20http://www.netsecuris.com
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
>
>
>
> --
>
> ~Brant Wells
>
> Network Administrator
>
> Toccoa Falls College
>
> 107 Kincaid Drive Toccoa Falls, GA 30598
>
> 706-886-7299 x5346 * bwells at tfc.edu
>
>
>
>
>

-- 
~Brant Wells
Network Administrator
Toccoa Falls College
107 Kincaid Drive Toccoa Falls, GA 30598
706-886-7299 x5346 * bwells at tfc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140623/086b0a5d/attachment-0002.html>