Hi all,
I’m pretty sure I know the answer will be “don’t use the Signature Framework” but I’m going to ask this question anyways. Ha.
I’m trying to whitelist an IP as a destination within a signature but it doesn’t seem to work and the sig is still firing. Is this just a quirk within the SF or am I missing something?
Example:
signature name {
ip-proto == tcp
dst-ip != 10.0.0.1
payload /stuffimlookingfor/
event “Getting stuff over TCP”
}
Any help would be much appreciated, thanks!
I'm pretty sure I know the answer will be "don't use the Signature
Framework" but I'm going to ask this question anyways. Ha.
It's actually ok to use it, just not too heavily. 
I'm trying to whitelist an IP as a destination within a signature but it
doesn't seem to work and the sig is still firing.
Couple things:
- I assume you have seen this list of "quirks"?
https://www.bro.org/sphinx/frameworks/signatures.html#things-to-keep-in-mind-when-writing-signatures
- If you compile with --enable-debug and run with '-B signatures'
you get debugging information in debug.log that may help track
down what's going on (if you don't mind looking at some
low-level stuff
- If you cannot figure it out I can look into it but would need a
signature and a trace to reproduce what you're seeing.
Robin
Try putting it at the top of the sig list. If that doesn't work, put it at the bottom. I remember dealing with this myself after updating to 2.5.
James
Hey guys,
Thanks for the responses! I’ll try to take a look at the debug output and see if I can figure anything out there.
James,
Do you mean placing it first/last in the signatures file or putting the “dst-ip !=” first/last in the signature itself?
The entire signature.
Awesome, I’ll give that a shot. Thanks!