Best way to reference multiple IP addresses for value on ET Open rule uuid 2026850

We have a certain installed service that sends host information to a cloud service and it sends it to public IP addresses, which is firing on rule uuid 2026850. The field is seeing that it’s a dotted quad value and not a regular hostname. I would like to customize this rule to ignore those IP addresses (I have the IPs stored in a variable as well), but the destination IPs are actually our web proxy IPs, not the true destination that shows in the field. Since I can’t reference those IPs in the destination IP field of the rule, are there any other ways to include all those public IPs in a concise way (there are many of them)? It doesn’t look like the field likes my content:!$CUSTOMVARIABLE structure, saying it’s expecting all lowercase. I can only seem to insert the variable in the source or destination IP fields at the beginning of the signature.

Hi. I’m having a hard time understanding exactly what you want, but you can not reference variables like that in rule keywords. [..] http_host; content:$EXTERNAL_NET ← this will not work.
Consider having a look at the dataset feature 6.36. Datasets — Suricata 7.0.0-dev documentation

It also sounds a bit like you could look into the xff settings as well suricata/ at master · OISF/suricata · GitHub
Only relevant if the IPs you want to ignore are in the x-forwarded-for header. I’m also not sure if the source IP and destination IP is overwritten in the detection logic or just for logging.

1 Like