[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Implementing Exclusions
From: Darren Spruell <phatbuckett () gmail ! com>
Date: 2012-12-28 5:43:36
Message-ID: CAKVSOJVB=5TXUApu83QBfKRS=t_WPy_QQY+BEgDmO8KrsnJvVg () mail ! gmail ! com
[Download RAW message or body]
On Wed, Dec 26, 2012 at 12:49 AM, PAURON, GUILLAUME (GUILLAUME)
<guillaume.pauron@alcatel-lucent.com> wrote:
> Hello,
>
> I would like to know what is the best way to implement exclusions on generic
> sigs (for example the “SQLi Select from”). On this sig, the catch is only a
> pcre on “select from” on the http request, and I have some recurrent FP.
>
> For exemple requests like :
> “/aaz/3pe/display.do?nodeName=pml_mailv2_1&_File=%2Fwapmail%2Fselect_sendFrom.pml%”
>
> How could I exclude that kind of things in the best way ? :)
More of a question about your particular IDS engine than the ruleset, but...
Couple of options that work well for me in cases like this:
- Write a 'pass' rule that matches the traffic you know is benign and
causing FPs on rules. Modern engines give precedence to pass rules.
This works well when your easiest way of identifying the FPs is by
packet payload.
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
http://manual.snort.org/node10.html
- Using tuning options such as suppressions or BPF filters to exclude
traffic to or from given hosts. If you find that your FPs are isolated
to a limited number of hosts or if the offending payload content is
difficult or expensive to match, you can suppress alerting for
specific rules and host/network combinations.
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
http://manual.snort.org/node199.html
--
Darren Spruell
phatbuckett@gmail.com
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for \
all versions of Suricata and Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic