[Oisf-users] Suppress all signatures per source IP

Yasha Zislin coolyasha at hotmail.com
Thu Jun 26 19:48:52 UTC 2014


Hmm. Sounds like a pain to do this with pass rules.

So the way I've done this in the past (with Snort) was that I've created a custom variable with a list of IPs.
Then I would set my external net as follows.

 MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"

 EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"

Most of the rules are configured to check from external to home. So if my IPs are not part of External, then this suppression occurs.
For some reason this does not work in Suricata. 



> Date: Thu, 26 Jun 2014 12:43:27 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm almost positive that bpf filters are only processed at run-time.
> They are actually compiled and then run in kernel space prior to sending
> the packets to the suricata process.
> 
> If you wanted to be able to do a live refresh you could just use pass
> rules, one per host or network like this:
> 
> > pass ip 111.222.111.222 any -> any any (sid:1)
> 
> (not sure if you even need a sid!)
> 
> - -Coop
> 
> On 6/26/2014 12:36 PM, Yasha Zislin wrote:
> > so if my filter file gets updated, would I have to restart suricata
> > service or rule-reload would refresh it?
> > 
> > Thanks for detailed explanation.
> > 
> >> Date: Thu, 26 Jun 2014 12:30:26 -0700
> >> From: cnelson at ucsd.edu
> >> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> >>
> > Again, the right way to do this is via bpf filters. That way the
> > packets are efficiently filtered by the kernel.
> > 
> > Just start suricata with 'not host 111.222.111.222' on the command line.
> > 
> > If you are going to need a large list, use a filter file specified by
> > the -F command line argument.
> > 
> > Bpf filter syntax is explained here:
> > 
> >> http://biot.com/capstats/bpf.html
> > 
> > -Coop
> > 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJTrHffAAoJEKIFRYQsa8FW9m0H/2JAFxaIiYTVmJHQcaARIk1D
> nIG2I5Pnv2nwQvkff9mdPSma4oSZYKiSaETwpX6FInO1AnCwLWfynzkpnvd2hEWT
> 1Ci4T3iM0yl1dcl7dW2PPnTpSSj3gUUlI09zMUYJkvXTqKYIFOnKygCsTuD9a2Qb
> xPKzmaqrPCwj3pnmYnS9ZlP8SeQLxSgGIHSWwmpNDAtovVXpVlPgkKN0y3gQfDTT
> zq5HPJ/P536FcmADg4l9kWdeLeZ4IxE7tuQ7tSCo7BphPlJNKZ7D0degVLuqBP0v
> WpYablvZkbPs5CEIm5ENdXTJ4e9UDtQlZ+GlVy7++yu4uYDPOCfazqzFENIJQn0=
> =Djua
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140626/9971ddb6/attachment-0002.html>


More information about the Oisf-users mailing list