[Oisf-users] Suppress all signatures per source IP

Victor Julien lists at inliniac.net
Mon Jun 30 15:08:10 UTC 2014


On 06/30/2014 05:06 PM, Yasha Zislin wrote:
> Nevermind this question. I found a better way to deal with this that
> works for me.
> 
> I will be suppressing alerts in threshold file:
> suppress gen_id 0, sig_id, track by_src, ip 1.1.1.1

A pass rule will perform better and will ultimately have the same
effect. Any reason you cannot use it?

See also
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

Cheers,
Victor

> 
> 
> 
> ------------------------------------------------------------------------
> From: coolyasha at hotmail.com
> To: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
> Date: Mon, 30 Jun 2014 14:51:29 +0000
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> 
> It looks like BPF filter will not work for me since I cannot afford
> inspection loss during service restart.
> 
> Is my specification of EXTERNAL_NET variable correct? It doesnt seem to
> work correctly.
> I have an IP 1.1.1.1 which is part of MYVAR whish should not be part of
> External net.
> A rule triggers:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"")
> 
> Judging from the variables config, it should not have triggered.
> 
> Any idea?
> 
> Thanks.
> 
>> Date: Thu, 26 Jun 2014 14:18:14 -0700
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suppress all signatures per source IP
>>
> As mentioned, I really think bpf filters are the way to go here.
> 
> For example, we filter our IP traffic from the Qualys SOC vulnerability
> scanners with this expression:
> 
> not (net 64.39.96.0/20)
> 
> Note that bpf filters are preferable as they are extremely high
>> performance.
> 
> -Coop
> 
> On 6/26/2014 12:48 PM, Yasha Zislin wrote:
>> Hmm. Sounds like a pain to do this with pass rules.
> 
>> So the way I've done this in the past (with Snort) was that I've created
>> a custom variable with a list of IPs.
>> Then I would set my external net as follows.
> 
>> MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"
> 
>> EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"
> 
>> Most of the rules are configured to check from external to home. So if
>> my IPs are not part of External, then this suppression occurs.
>> For some reason this does not work in Suricata.
> 
> 
> 
> 
> _______________________________________________ Suricata IDS Users
> mailing list: oisf-users at openinfosecfoundation.org Site:
> http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list