[Oisf-users] Suppress all signatures per source IP
Yasha Zislin
coolyasha at hotmail.com
Mon Jun 30 15:22:35 UTC 2014
Victor,
This works as well.
I'll stick with this approach.
Thanks for the info.
> Date: Mon, 30 Jun 2014 17:08:10 +0200
> From: lists at inliniac.net
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suppress all signatures per source IP
>
> On 06/30/2014 05:06 PM, Yasha Zislin wrote:
> > Nevermind this question. I found a better way to deal with this that
> > works for me.
> >
> > I will be suppressing alerts in threshold file:
> > suppress gen_id 0, sig_id, track by_src, ip 1.1.1.1
>
> A pass rule will perform better and will ultimately have the same
> effect. Any reason you cannot use it?
>
> See also
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
>
> Cheers,
> Victor
>
> >
> >
> >
> > ------------------------------------------------------------------------
> > From: coolyasha at hotmail.com
> > To: cnelson at ucsd.edu; oisf-users at lists.openinfosecfoundation.org
> > Date: Mon, 30 Jun 2014 14:51:29 +0000
> > Subject: Re: [Oisf-users] Suppress all signatures per source IP
> >
> > It looks like BPF filter will not work for me since I cannot afford
> > inspection loss during service restart.
> >
> > Is my specification of EXTERNAL_NET variable correct? It doesnt seem to
> > work correctly.
> > I have an IP 1.1.1.1 which is part of MYVAR whish should not be part of
> > External net.
> > A rule triggers:
> >
> > alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"")
> >
> > Judging from the variables config, it should not have triggered.
> >
> > Any idea?
> >
> > Thanks.
> >
> >> Date: Thu, 26 Jun 2014 14:18:14 -0700
> >> From: cnelson at ucsd.edu
> >> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
> >> Subject: Re: [Oisf-users] Suppress all signatures per source IP
> >>
> > As mentioned, I really think bpf filters are the way to go here.
> >
> > For example, we filter our IP traffic from the Qualys SOC vulnerability
> > scanners with this expression:
> >
> > not (net 64.39.96.0/20)
> >
> > Note that bpf filters are preferable as they are extremely high
> >> performance.
> >
> > -Coop
> >
> > On 6/26/2014 12:48 PM, Yasha Zislin wrote:
> >> Hmm. Sounds like a pain to do this with pass rules.
> >
> >> So the way I've done this in the past (with Snort) was that I've created
> >> a custom variable with a list of IPs.
> >> Then I would set my external net as follows.
> >
> >> MYVAR_IP: "[1.1.1.1,2.2.2.2,3.3.3.3]"
> >
> >> EXTERNAL_NET: "[!$HOME_NET,!$MYVAR_IP]"
> >
> >> Most of the rules are configured to check from external to home. So if
> >> my IPs are not part of External, then this suppression occurs.
> >> For some reason this does not work in Suricata.
> >
> >
> >
> >
> > _______________________________________________ Suricata IDS Users
> > mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140630/4438969b/attachment-0002.html>
More information about the Oisf-users
mailing list