[Oisf-users] How do you ignore External IP Addresses?
Leonard Jacobs
ljacobs at netsecuris.com
Mon Jun 23 12:39:38 UTC 2014
I actually created a new variable in suricata.yaml that includes the entire needed set of source IP addresses; which I applied in a custom pass rule. It works great.
Thanks.
Leonard
From: Brant Wells [mailto:bwells at tfc.edu]
Sent: Monday, June 23, 2014 7:25 AM
To: Leonard Jacobs
Cc: Darien Huss; OISF Users
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
Hey Leonard,
There's not really much of a difference in doing that. But it is another way to skin the cat, so to speak. I usually put things I want to ignore (ie: Venor IPs) in the Home_Net, since we generally trust the IP addresses.
Like I said though... Either way *should* work.
~Brant
On Fri, Jun 20, 2014 at 8:48 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
What is the difference between that and putting them in $EXTERNAL_NET with telling them to not include using a exclamation point in front of IPs?
From: Brant Wells [mailto:bwells at tfc.edu]
Sent: Friday, June 20, 2014 1:06 PM
To: Leonard Jacobs
Cc: Darien Huss; OISF Users
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
You could also add the IP Ranges that you want to ignore to the $HOME_NET variable...
$HOME_NET = [10.0.0.0/16, 192.168.1.0/24, 8.8.8.8/32]
Or something like that to make it ignore the servers that you don't want to monitor traffic from.
On Fri, Jun 20, 2014 at 12:23 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
I am trying to avoid customizing a standard signature because updating becomes problematic then.
----- Original Message -----
From: Darien Huss [mailto:dhuss at emergingthreats.net]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
Cc: oisf-users at openinfosecfoundation.org
Sent: Fri, 20 Jun 2014 06:59:49 -0500
Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
> Without seeing the traffic I'm not sure if this would be reliable, but you
> could possibly add something like this to that rule if the test webpage
> occurs on the same domain every time:
>
> content:!"trustedvendor.com"; http_header;
>
> If their IP address were to change but the domain stays the same the above
> would still work.
>
> Regards,
>
> Darien
>
>
> On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
>
> > I want to be able to ignore some External source IP addresses in
> > signatures. Can I list them in suricata.yaml with a ! in front of them.
> > Like:
> >
> >
> >
> > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]" for example.
> >
> >
> >
> > I have a trusted vendor that is causing false positives because they
> > refuse to change a numeric string in what they are sending in a test web
> > page so it is triggering a Trojan signature. I want to ignore their
> > traffic. I know that is dangerous if they were really used as an attack
> > vector into my network.
> >
> >
> >
> > Any suggestions?
> >
> >
> >
> > Leonard
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P 952-641-1421 ext. 20http://www.netsecuris.com
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
--
~Brant Wells
Network Administrator
Toccoa Falls College
107 Kincaid Drive Toccoa Falls, GA 30598
706-886-7299 x5346 * bwells at tfc.edu
--
~Brant Wells
Network Administrator
Toccoa Falls College
107 Kincaid Drive Toccoa Falls, GA 30598
706-886-7299 x5346 * bwells at tfc.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140623/93380d89/attachment-0002.html>
More information about the Oisf-users
mailing list