[Oisf-users] Modifying a rule
James Moe
jimoe at sohnen-moe.com
Mon Apr 27 23:55:25 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
suricata 2.0.7
linux 3.16.7-21-desktop x86_64
One of the contributors to fast.log is a VLAN alert. It is a
broadcast emitted every two seconds from our Dish TV receiver. I
decided to modify the rule so that it would ignore packets from that
device.
Because it is a broadcast (I guess), there is no IP address in the
packets, just the MAC address.
How do I rewrite the rule to ignore a particular MAC address?
This is the rule slightly modified to somewhat limit its scope:
alert pkthdr [$EXTERNAL_NET] any -> $HOME_NET any (msg:"SURICATA VLAN
unknown type"; decode-event:vlan.unknown_type; sid:2200067; rev:1;)
- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlU+zGwACgkQzTcr8Prq0ZNHewCfbJptf+mbiSxo6TT/DaajTrGH
4g4AoKmElYsXDfGws4fdVSfwHhmMb6Hy
=vXI4
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list