[Oisf-users] Ineffective rules

Andreas Moe moe.andreas at gmail.com
Mon May 4 22:04:51 UTC 2015


As i pointed out in the first link (
http://manual.snort.org/node29.html#SECTION00425000000000000000) you have
set your rule to be valid for every direction with the "<>" direction
indicator. This means it will triger on "NOT your ip" towards ANY and also
ANY ip towards NOT your IP. So that kinda defeats the whole purpose of the
negating of the IP. Try f.ex "alert tcp ![..] any <> ![...] any" (just as a
quick example, possibly not the best solution).

LRO: http://en.wikipedia.org/wiki/Large_receive_offload
GRO: https://lwn.net/Articles/358910/

And this part of the suricata documentation talks about offloading of
these:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction



2015-05-04 23:59 GMT+02:00 James Moe <jimoe at sohnen-moe.com>:

> On 05/04/2015 02:10 PM, Andreas Moe wrote:
> > You have set them up to alert in any direction (the '<>') [1]. If you
> > had say A -> B it would only alert if this was a packet from host A
> > towards host B.
> >
>   From the wiki
> <
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules
> >:
> ! 1.1.1.1  (Every IP address but 1.1.1.1)
>
>   Why does "alert tcp ![192.168.69.245] any <> any any" not work?
>   It does not matter which direction of the traffic, I just do not want
> the alert.
>
> > Also, might be better to define some netvariables like
> > say HOME_NET[2] and so on to better divide where the rules will trigger,
> > rather than doing single IP management in the rules.
> >
>   Yes, HOME_NET is defined. I was experimenting with tuning the rule to
> the specifics of our network.
>   The other response indicated this may be due to GR0 and LR0. What are
> those? Not in the documentation anywhere.
>
> --
> James Moe
> moe dot james at sohnen-moe dot com
> 520.743.3936
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150505/9e4bec61/attachment-0002.html>


More information about the Oisf-users mailing list