[Oisf-users] Suppress all signatures per source IP
Yasha Zislin
coolyasha at hotmail.com
Mon Jun 30 14:51:29 UTC 2014
It looks like BPF filter will not work for me since I cannot afford inspection loss during service restart.
Is my specification of EXTERNAL_NET variable correct? It doesnt seem to work correctly.
I have an IP 1.1.1.1 which is part of MYVAR whish should not be part of External net.
A rule triggers:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"")Judging from the variables config, it should not have triggered.
Any idea?
Thanks.
> Date: Thu, 26 Jun 2014 14:18:14 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As mentioned, I really think bpf filters are the way to go here.
>
> For example, we filter our IP traffic from the Qualys SOC vulnerability
> scanners with this expression:
>
> not (net 64.39.96.0/20)
>
> Note that bpf filters are preferable as they are extremely high performance.
>
> - -Coop
>
> On 6/26/2014 12:48 PM, Yasha Zislin wrote:
> > Hmm. Sounds like a pain to do this with pass rules.
> >
> > So the way I've done this in the past (with Snort) was that I've created
> > a custom variable with a list of IPs.
> > Then I would set my external net as follows.
> >
> > MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"
> >
> > EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"
> >
> > Most of the rules are configured to check from external to home. So if
> > my IPs are not part of External, then this suppression occurs.
> > For some reason this does not work in Suricata.
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTrI4WAAoJEKIFRYQsa8FWhIgH/Racilav8dBC9m8dsxTIxXLf
> Rn5zxy/S/zLYdo7ItB2AadOuB2HJcK4mttM+BOo503cYL/ndHnNvtRgc6rW+wiek
> t/yeMBqA2ii0OTLZPMr4Q2XpnRYC66rFP2h03lAm24fqWtGL8CRcGwNYYVopwnUf
> FKfx0SyOk6lwRoAEDqc02gVccKcpwbkrHsJRqNNva7coZSsQXq2iAfd4ZFnT59Bw
> TlUkEQGFx6QYL4TU6uR9qmDygOzlq9eMdQe0g1GpUt4iDwU1cybD06JpOO9sKToF
> EUsUm7VKBed0oxRSit0KA4FN22L0EcVBvbQbc/T3SBPsOF4O1mKZAnbiMVouVzA=
> =FaeI
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140630/feb74aa4/attachment-0002.html>
More information about the Oisf-users
mailing list