[Oisf-users] Suppress all signatures per source IP
Yasha Zislin
coolyasha at hotmail.com
Thu Jun 26 23:25:02 UTC 2014
I like the idea of bpf filter from every aspect but during service restart I wouls loose indpection...
--- Original Message ---
From: "Cooper F. Nelson" <cnelson at ucsd.edu>
Sent: June 26, 2014 5:18 PM
To: "Yasha Zislin" <coolyasha at hotmail.com>, oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suppress all signatures per source IP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As mentioned, I really think bpf filters are the way to go here.
For example, we filter our IP traffic from the Qualys SOC vulnerability
scanners with this expression:
not (net 64.39.96.0/20)
Note that bpf filters are preferable as they are extremely high performance.
- -Coop
On 6/26/2014 12:48 PM, Yasha Zislin wrote:
> Hmm. Sounds like a pain to do this with pass rules.
>
> So the way I've done this in the past (with Snort) was that I've created
> a custom variable with a list of IPs.
> Then I would set my external net as follows.
>
> MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"
>
> EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"
>
> Most of the rules are configured to check from external to home. So if
> my IPs are not part of External, then this suppression occurs.
> For some reason this does not work in Suricata.
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTrI4WAAoJEKIFRYQsa8FWhIgH/Racilav8dBC9m8dsxTIxXLf
Rn5zxy/S/zLYdo7ItB2AadOuB2HJcK4mttM+BOo503cYL/ndHnNvtRgc6rW+wiek
t/yeMBqA2ii0OTLZPMr4Q2XpnRYC66rFP2h03lAm24fqWtGL8CRcGwNYYVopwnUf
FKfx0SyOk6lwRoAEDqc02gVccKcpwbkrHsJRqNNva7coZSsQXq2iAfd4ZFnT59Bw
TlUkEQGFx6QYL4TU6uR9qmDygOzlq9eMdQe0g1GpUt4iDwU1cybD06JpOO9sKToF
EUsUm7VKBed0oxRSit0KA4FN22L0EcVBvbQbc/T3SBPsOF4O1mKZAnbiMVouVzA=
=FaeI
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list