[Oisf-users] Suppress all signatures per source IP

Yasha Zislin coolyasha at hotmail.com
Mon Jun 30 15:22:35 UTC 2014


Victor, 

This works as well.
I'll stick with this approach. 

Thanks for the info.

> Date: Mon, 30 Jun 2014 17:08:10 +0200
> From: lists at inliniac.net
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> 
> On 06/30/2014 05:06 PM, Yasha Zislin wrote:
> > Nevermind this question. I found a better way to deal with this that
> > works for me.
> > 
> > I will be suppressing alerts in threshold file:
> > suppress gen_id 0, sig_id, track by_src, ip 1.1.1.1
> 
> A pass rule will perform better and will ultimately have the same
> effect. Any reason you cannot use it?
> 
> See also
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
> 
> Cheers,
> Victor
> 
> > 
> > 
> > 
> > ------------------------------------------------------------------------
> > From: coolyasha at hotmail.com
> > To: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
> > Date: Mon, 30 Jun 2014 14:51:29 +0000
> > Subject: Re: [Oisf-users] Suppress all signatures per source IP
> > 
> > It looks like BPF filter will not work for me since I cannot afford
> > inspection loss during service restart.
> > 
> > Is my specification of EXTERNAL_NET variable correct? It doesnt seem to
> > work correctly.
> > I have an IP 1.1.1.1 which is part of MYVAR whish should not be part of
> > External net.
> > A rule triggers:
> > 
> > alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"")
> > 
> > Judging from the variables config, it should not have triggered.
> > 
> > Any idea?
> > 
> > Thanks.
> > 
> >> Date: Thu, 26 Jun 2014 14:18:14 -0700
> >> From: cnelson at ucsd.edu
> >> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> >>
> > As mentioned, I really think bpf filters are the way to go here.
> > 
> > For example, we filter our IP traffic from the Qualys SOC vulnerability
> > scanners with this expression:
> > 
> > not (net 64.39.96.0/20)
> > 
> > Note that bpf filters are preferable as they are extremely high
> >> performance.
> > 
> > -Coop
> > 
> > On 6/26/2014 12:48 PM, Yasha Zislin wrote:
> >> Hmm. Sounds like a pain to do this with pass rules.
> > 
> >> So the way I've done this in the past (with Snort) was that I've created
> >> a custom variable with a list of IPs.
> >> Then I would set my external net as follows.
> > 
> >> MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"
> > 
> >> EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"
> > 
> >> Most of the rules are configured to check from external to home. So if
> >> my IPs are not part of External, then this suppression occurs.
> >> For some reason this does not work in Suricata.
> > 
> > 
> > 
> > 
> > _______________________________________________ Suricata IDS Users
> > mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > 
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > 
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140630/4438969b/attachment-0002.html>


More information about the Oisf-users mailing list