[Oisf-users] Suppress all signatures per source IP
Cooper F. Nelson
cnelson at ucsd.edu
Thu Jun 26 19:30:26 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Again, the right way to do this is via bpf filters. That way the
packets are efficiently filtered by the kernel.
Just start suricata with 'not host 111.222.111.222' on the command line.
If you are going to need a large list, use a filter file specified by
the -F command line argument.
Bpf filter syntax is explained here:
> http://biot.com/capstats/bpf.html
- -Coop
On 6/26/2014 12:23 PM, Yasha Zislin wrote:
> Is there a way to use threshold.conf to suppress all signatures coming
> from unique source IP address?
>
> Something like this:
> suppress gen_id 0, sig_id 0, track by_src, ip 111.222.111.222
>
> Or is there another way of doing this? I want basically to whitelist
> some IPs so no rules apply to them.
>
> Thanks.
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTrHTSAAoJEKIFRYQsa8FWk9sH/2/hkKRC/crzvU3O4dCz8RVG
USk0MBcXPmxUSNZt1G1JHxJ9ky7K7ZNTo5pfDc47342kPcCO3plM03VujpSoEQjf
Zva6SKCTwo8ZzfgjaWQniUzHs3tQMCQ6CPtOKoR8sgwy9o5jduA01ucyUuJyhGI1
GZ2FMiCekV8LPu/fjC3gASTE2kUlSQ0RQJlhYOHJuVxR7lugV1WfIvEIDxItYTFx
hMdR1PfSm4u2JCkpAqZ1TIO2RmoaxcRFPy+NcInIg6zryQwU280qDSMaBSFrakhX
ZqV5IXW0acvKPumtQOdQxz80pDoaHXvkOeMxoDerkU1UR8KSwiyfcX0ynh2pakM=
=wER8
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list