[Oisf-users] Suppress all signatures per source IP
Yasha Zislin
coolyasha at hotmail.com
Thu Jun 26 19:36:00 UTC 2014
so if my filter file gets updated, would I have to restart suricata service or rule-reload would refresh it?
Thanks for detailed explanation.
> Date: Thu, 26 Jun 2014 12:30:26 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Again, the right way to do this is via bpf filters. That way the
> packets are efficiently filtered by the kernel.
>
> Just start suricata with 'not host 111.222.111.222' on the command line.
>
> If you are going to need a large list, use a filter file specified by
> the -F command line argument.
>
> Bpf filter syntax is explained here:
>
> > http://biot.com/capstats/bpf.html
>
> - -Coop
>
> On 6/26/2014 12:23 PM, Yasha Zislin wrote:
> > Is there a way to use threshold.conf to suppress all signatures coming
> > from unique source IP address?
> >
> > Something like this:
> > suppress gen_id 0, sig_id 0, track by_src, ip 111.222.111.222
> >
> > Or is there another way of doing this? I want basically to whitelist
> > some IPs so no rules apply to them.
> >
> > Thanks.
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTrHTSAAoJEKIFRYQsa8FWk9sH/2/hkKRC/crzvU3O4dCz8RVG
> USk0MBcXPmxUSNZt1G1JHxJ9ky7K7ZNTo5pfDc47342kPcCO3plM03VujpSoEQjf
> Zva6SKCTwo8ZzfgjaWQniUzHs3tQMCQ6CPtOKoR8sgwy9o5jduA01ucyUuJyhGI1
> GZ2FMiCekV8LPu/fjC3gASTE2kUlSQ0RQJlhYOHJuVxR7lugV1WfIvEIDxItYTFx
> hMdR1PfSm4u2JCkpAqZ1TIO2RmoaxcRFPy+NcInIg6zryQwU280qDSMaBSFrakhX
> ZqV5IXW0acvKPumtQOdQxz80pDoaHXvkOeMxoDerkU1UR8KSwiyfcX0ynh2pakM=
> =wER8
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140626/3571b0a2/attachment-0002.html>
More information about the Oisf-users
mailing list