[Oisf-users] Suppress all signatures per source IP

Yasha Zislin coolyasha at hotmail.com
Mon Jun 30 14:51:29 UTC 2014


It looks like BPF filter will not work for me since I cannot afford inspection loss during service restart.

Is my specification of EXTERNAL_NET variable correct? It doesnt seem to work correctly.
I have an IP 1.1.1.1 which is part of MYVAR whish should not be part of External net.
A rule triggers:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"")Judging from the variables config, it should not have triggered.

Any idea?

Thanks.

> Date: Thu, 26 Jun 2014 14:18:14 -0700
> From: cnelson at ucsd.edu
> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As mentioned, I really think bpf filters are the way to go here.
> 
> For example, we filter our IP traffic from the Qualys SOC vulnerability
> scanners with this expression:
> 
> not (net 64.39.96.0/20)
> 
> Note that bpf filters are preferable as they are extremely high performance.
> 
> - -Coop
> 
> On 6/26/2014 12:48 PM, Yasha Zislin wrote:
> > Hmm. Sounds like a pain to do this with pass rules.
> > 
> > So the way I've done this in the past (with Snort) was that I've created
> > a custom variable with a list of IPs.
> > Then I would set my external net as follows.
> > 
> >  MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"
> > 
> >  EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"
> > 
> > Most of the rules are configured to check from external to home. So if
> > my IPs are not part of External, then this suppression occurs.
> > For some reason this does not work in Suricata.
> > 
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJTrI4WAAoJEKIFRYQsa8FWhIgH/Racilav8dBC9m8dsxTIxXLf
> Rn5zxy/S/zLYdo7ItB2AadOuB2HJcK4mttM+BOo503cYL/ndHnNvtRgc6rW+wiek
> t/yeMBqA2ii0OTLZPMr4Q2XpnRYC66rFP2h03lAm24fqWtGL8CRcGwNYYVopwnUf
> FKfx0SyOk6lwRoAEDqc02gVccKcpwbkrHsJRqNNva7coZSsQXq2iAfd4ZFnT59Bw
> TlUkEQGFx6QYL4TU6uR9qmDygOzlq9eMdQe0g1GpUt4iDwU1cybD06JpOO9sKToF
> EUsUm7VKBed0oxRSit0KA4FN22L0EcVBvbQbc/T3SBPsOF4O1mKZAnbiMVouVzA=
> =FaeI
> -----END PGP SIGNATURE-----
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140630/feb74aa4/attachment-0002.html>


More information about the Oisf-users mailing list