[Emerging-Sigs] Implementing Exclusions

Darren Spruell phatbuckett at gmail.com
Thu Dec 27 19:43:36 HAST 2012


On Wed, Dec 26, 2012 at 12:49 AM, PAURON, GUILLAUME (GUILLAUME)
<guillaume.pauron at alcatel-lucent.com> wrote:
> Hello,
>
> I would like to know what is the best way to implement exclusions on generic
> sigs (for example the “SQLi Select from”). On this sig, the catch is only a
> pcre on “select from” on the http request, and I have some recurrent FP.
>
> For exemple requests like :
> “/aaz/3pe/display.do?nodeName=pml_mailv2_1&_File=%2Fwapmail%2Fselect_sendFrom.pml%”
>
> How could I exclude that kind of things in the best way ? :)

More of a question about your particular IDS engine than the ruleset, but...

Couple of options that work well for me in cases like this:

- Write a 'pass' rule that matches the traffic you know is benign and
causing FPs on rules. Modern engines give precedence to pass rules.
This works well when your easiest way of identifying the FPs is by
packet payload.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
http://manual.snort.org/node10.html

- Using tuning options such as suppressions or BPF filters to exclude
traffic to or from given hosts. If you find that your FPs are isolated
to a limited number of hosts or if the offending payload content is
difficult or expensive to match, you can suppress alerting for
specific rules and host/network combinations.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
http://manual.snort.org/node199.html

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list