[Oisf-users] Suppress all signatures per source IP

Yasha Zislin coolyasha at hotmail.com
Thu Jun 26 19:36:00 UTC 2014


so if my filter file gets updated, would I have to restart suricata service or rule-reload would refresh it?

Thanks for detailed explanation.

> Date: Thu, 26 Jun 2014 12:30:26 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Again, the right way to do this is via bpf filters.  That way the
> packets are efficiently filtered by the kernel.
> 
> Just start suricata with 'not host 111.222.111.222' on the command line.
> 
> If you are going to need a large list, use a filter file specified by
> the -F command line argument.
> 
> Bpf filter syntax is explained here:
> 
> > http://biot.com/capstats/bpf.html
> 
> - -Coop
> 
> On 6/26/2014 12:23 PM, Yasha Zislin wrote:
> > Is there a way to use threshold.conf to suppress all signatures coming
> > from unique source IP address?
> > 
> > Something like this:
> > suppress gen_id 0, sig_id 0, track by_src, ip 111.222.111.222
> > 
> > Or is there another way of doing this? I want basically to whitelist
> > some IPs so no rules apply to them.
> > 
> > Thanks.
> > 
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > 
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJTrHTSAAoJEKIFRYQsa8FWk9sH/2/hkKRC/crzvU3O4dCz8RVG
> USk0MBcXPmxUSNZt1G1JHxJ9ky7K7ZNTo5pfDc47342kPcCO3plM03VujpSoEQjf
> Zva6SKCTwo8ZzfgjaWQniUzHs3tQMCQ6CPtOKoR8sgwy9o5jduA01ucyUuJyhGI1
> GZ2FMiCekV8LPu/fjC3gASTE2kUlSQ0RQJlhYOHJuVxR7lugV1WfIvEIDxItYTFx
> hMdR1PfSm4u2JCkpAqZ1TIO2RmoaxcRFPy+NcInIg6zryQwU280qDSMaBSFrakhX
> ZqV5IXW0acvKPumtQOdQxz80pDoaHXvkOeMxoDerkU1UR8KSwiyfcX0ynh2pakM=
> =wER8
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140626/3571b0a2/attachment-0002.html>


More information about the Oisf-users mailing list