[Oisf-users] Ineffective rules

James Moe jimoe at sohnen-moe.com
Mon May 4 21:59:41 UTC 2015


On 05/04/2015 02:10 PM, Andreas Moe wrote:
> You have set them up to alert in any direction (the '<>') [1]. If you
> had say A -> B it would only alert if this was a packet from host A
> towards host B.
>
  From the wiki
<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules>:
! 1.1.1.1  (Every IP address but 1.1.1.1)

  Why does "alert tcp ![192.168.69.245] any <> any any" not work?
  It does not matter which direction of the traffic, I just do not want
the alert.

> Also, might be better to define some netvariables like
> say HOME_NET[2] and so on to better divide where the rules will trigger,
> rather than doing single IP management in the rules.
>
  Yes, HOME_NET is defined. I was experimenting with tuning the rule to
the specifics of our network.
  The other response indicated this may be due to GR0 and LR0. What are
those? Not in the documentation anywhere.

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150504/beaf07a0/attachment.sig>


More information about the Oisf-users mailing list