[Oisf-users] How do you ignore External IP Addresses?

Victor Julien lists at inliniac.net
Tue Jun 24 11:47:59 UTC 2014 

I have started documenting the options in such cases here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

Feel free to extend.

Cheers,
Victor

On 06/23/2014 02:39 PM, Leonard Jacobs wrote:
> I actually created a new variable in suricata.yaml that includes the
> entire needed set of source IP addresses; which I applied in a custom
> pass rule.  It works great.
> 
>  
> 
> Thanks.
> 
>  
> 
> Leonard
> 
>  
> 
> *From:*Brant Wells [mailto:bwells at tfc.edu]
> *Sent:* Monday, June 23, 2014 7:25 AM
> *To:* Leonard Jacobs
> *Cc:* Darien Huss; OISF Users
> *Subject:* Re: [Oisf-users] How do you ignore External IP Addresses?
> 
>  
> 
> Hey Leonard,
> 
>  
> 
> There's not really much of a difference in doing that.  But it is
> another way to skin the cat, so to speak.  I usually put things I want
> to ignore (ie: Venor IPs) in the Home_Net, since we generally trust the
> IP addresses.
> 
>  
> 
> Like I said though... Either way *should* work.
> 
>  
> 
> ~Brant
> 
>  
> 
>  
> 
> On Fri, Jun 20, 2014 at 8:48 PM, Leonard Jacobs <ljacobs at netsecuris.com
> <mailto:ljacobs at netsecuris.com>> wrote:
> 
> What is the difference between that and putting them in $EXTERNAL_NET
> with telling them to not include using a exclamation point in front of IPs?
> 
>  
> 
> *From:*Brant Wells [mailto:bwells at tfc.edu <mailto:bwells at tfc.edu>]
> *Sent:* Friday, June 20, 2014 1:06 PM
> *To:* Leonard Jacobs
> *Cc:* Darien Huss; OISF Users
> 
> 
> *Subject:* Re: [Oisf-users] How do you ignore External IP Addresses?
> 
>  
> 
> You could also add the IP Ranges that you want to ignore to the
> $HOME_NET variable...  
> 
>  
> 
> $HOME_NET = [10.0.0.0/16 <http://10.0.0.0/16>, 192.168.1.0/24
> <http://192.168.1.0/24>, 8.8.8.8/32 <http://8.8.8.8/32>]
> 
>  
> 
> Or something like that to make it ignore the servers that you don't want
> to monitor traffic from.
> 
>  
> 
>  
> 
> On Fri, Jun 20, 2014 at 12:23 PM, Leonard Jacobs <ljacobs at netsecuris.com
> <mailto:ljacobs at netsecuris.com>> wrote:
> 
> I am trying to avoid customizing a standard signature because updating
> becomes problematic then.
> 
> 
> ----- Original Message -----
> From: Darien Huss [mailto:dhuss at emergingthreats.net
> <mailto:dhuss at emergingthreats.net>]
> To: Leonard Jacobs [mailto:ljacobs at netsecuris.com
> <mailto:ljacobs at netsecuris.com>]
> Cc: oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Sent: Fri, 20 Jun 2014 06:59:49 -0500
> Subject: Re: [Oisf-users] How do you ignore External IP Addresses?
> 
> 
>> Without seeing the traffic I'm not sure if this would be reliable, but you
>> could possibly add something like this to that rule if the test webpage
>> occurs on the same domain every time:
>>
>> content:!"trustedvendor.com <http://trustedvendor.com>"; http_header;
>>
>> If their IP address were to change but the domain stays the same the above
>> would still work.
>>
>> Regards,
>>
>> Darien
>>
>>
>> On Fri, Jun 20, 2014 at 7:24 AM, Leonard Jacobs
> <ljacobs at netsecuris.com <mailto:ljacobs at netsecuris.com>>
>> wrote:
>>
>> > I want to be able to ignore some External source IP addresses in
>> > signatures. Can I list them in suricata.yaml with a ! in front of them.
>> > Like:
>> >
>> >
>> >
>> > EXTERNAL_NET: "[!$HOME_NET, !x.x.x.x, !x.x.x.x/16]"   for example.
>> >
>> >
>> >
>> > I have a trusted vendor that is causing false positives because they
>> > refuse to change a numeric string in what they are sending in a test web
>> > page so it is triggering a Trojan signature. I want to ignore their
>> > traffic. I know that is dangerous if they were really used as an attack
>> > vector into my network.
>> >
>> >
>> >
>> > Any suggestions?
>> >
>> >
>> >
>> > Leonard
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
>> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
>> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>> >
>>
> 
> Leonard Jacobs, MBA, CISSP, CSSAPresident/CEONetsecuris Inc.P
> 952-641-1421 ext. 20 <tel:952-641-1421%20ext.%2020>http://www.netsecuris.com
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
>  
> 
> -- 
> 
> ~Brant Wells
> 
> Network Administrator
> 
> Toccoa Falls College
> 
> 107 Kincaid Drive Toccoa Falls, GA 30598
> 
> 706-886-7299 x5346 <tel:706-886-7299%20x5346> * bwells at tfc.edu
> <mailto:bwells at tfc.edu>
> 
>  
> 
>  
> 
> 
> 
>  
> 
> -- 
> 
> ~Brant Wells
> 
> Network Administrator
> 
> Toccoa Falls College
> 
> 107 Kincaid Drive Toccoa Falls, GA 30598
> 
> 706-886-7299 x5346 * bwells at tfc.edu <mailto:bwells at tfc.edu>
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list