[Oisf-users] Modifying a rule

Andreas Moe moe.andreas at gmail.com
Tue Apr 28 05:14:13 UTC 2015


Is there any reason not to block the IP of this device, instead of the MAC?
As far as i know there is no straight forward method to blocking
communication based on MAC addr without making a content match of the bytes
were the MACs are set in the ethernet frame (if that would work).

Also, seeing that this signature should detect something comming from
EXTERNAL_NET to HOME_NET and the unit you described seems to be a unit that
is on your HOME_NET. Then my question is: have you set your HOME_NET and
EXTERNAL_NET variables?

2015-04-28 1:55 GMT+02:00 James Moe <jimoe at sohnen-moe.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>   suricata 2.0.7
>   linux 3.16.7-21-desktop x86_64
>
>   One of the contributors to fast.log is a VLAN alert. It is a
> broadcast emitted every two seconds from our Dish TV receiver. I
> decided to modify the rule so that it would ignore packets from that
> device.
>   Because it is a broadcast (I guess), there is no IP address in the
> packets, just the MAC address.
>
>   How do I rewrite the rule to ignore a particular MAC address?
>
>   This is the rule slightly modified to somewhat limit its scope:
> alert pkthdr [$EXTERNAL_NET] any -> $HOME_NET any (msg:"SURICATA VLAN
> unknown type"; decode-event:vlan.unknown_type; sid:2200067; rev:1;)
>
> - --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iEYEARECAAYFAlU+zGwACgkQzTcr8Prq0ZNHewCfbJptf+mbiSxo6TT/DaajTrGH
> 4g4AoKmElYsXDfGws4fdVSfwHhmMb6Hy
> =vXI4
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150428/f8fac817/attachment-0002.html>


More information about the Oisf-users mailing list