[Emerging-Sigs] Implementing Exclusions

Darren Spruell phatbuckett at gmail.com
Thu Dec 27 19:43:36 HAST 2012

On Wed, Dec 26, 2012 at 12:49 AM, PAURON, GUILLAUME (GUILLAUME)
<guillaume.pauron at alcatel-lucent.com> wrote:
> Hello,
> I would like to know what is the best way to implement exclusions on generic
> sigs (for example the “SQLi Select from”). On this sig, the catch is only a
> pcre on “select from” on the http request, and I have some recurrent FP.
> For exemple requests like :
> “/aaz/3pe/display.do?nodeName=pml_mailv2_1&_File=%2Fwapmail%2Fselect_sendFrom.pml%”
> How could I exclude that kind of things in the best way ? :)

More of a question about your particular IDS engine than the ruleset, but...

Couple of options that work well for me in cases like this:

- Write a 'pass' rule that matches the traffic you know is benign and
causing FPs on rules. Modern engines give precedence to pass rules.
This works well when your easiest way of identifying the FPs is by
packet payload.


- Using tuning options such as suppressions or BPF filters to exclude
traffic to or from given hosts. If you find that your FPs are isolated
to a limited number of hosts or if the offending payload content is
difficult or expensive to match, you can suppress alerting for
specific rules and host/network combinations.


Darren Spruell
phatbuckett at gmail.com

More information about the Emerging-sigs mailing list