Excluding IP Addresses from Monitoring or IDS/IPS

What is the best method to exclude IP addresses or ranges? Is thresholds the proper method to exclude IP addresses?

So we want to ignore some ranges of IP addresses so the IDS/IPS does not affect the traffic from those rnages.

What packet source are you using? Some (not all) packet sources use the BPF filter. You can set these in the Suricata configuration file.

You can also set the rule variables HOME_NET and EXTENAL_NET – note that these are rule variables so a rule would have to use these variables.

If what you want can’t be achieved with a bpf filter, perhaps pass rule could help. See https://suricata.readthedocs.io/en/suricata-5.0.3/performance/ignoring-traffic.html#pass-rules

I highly recommend ensuring your $HOME_NET is up to date before doing other forms of tuning first as it will give you a strong baseline for what the sensor is meant to monitor in the first place. After that, you can tune out noisy or authorized traffic through BPF filters, then you can add exclusions to specific rules.

Personally, I don’t like using the threshold.conf since the sensor still processes the traffic but only suppresses the alert instead of raising it for review/parsing.

Microsoft suggests excluding their Teams public IP addresses from being scanned through IDS/IPS.

I was thinking of some kind of Bypass to exclude their public IP address subnets.

Using EXTERNAL_NET I am not sure will work because the traffic will still pass through af-packet. Even if I negate Microsoft’s addresses in the variables

I don’t want to change any rules because there is other traffic affected by that.

Pass rules will still generate eve logs. However, I guess I could describe in the rule that it is passing Microsoft Teams traffic.

Will that pass rule not go through all the analysis?
Can I put those Microsoft Teams subnets in the rule?

We already have a baseline because we have been running traffic through it including older versions of Suricata for over 5 years.

We have used threshold suppress when a legitimate pen test has been done when requested to do so.

For the Pass rule, can I create rule variable specific for all the Microsoft Teams subnets?

If you have a specific list of IP ranges they’re using for Teams you could put them into a BPF file for exclusion so it doesnt get processed by AF_PACKET or suricata. If not, it’s going to be hard to ensure you’re not excluding generic Azure IPs so malware or a bad actor gets a free pass through the IDS.

I haven’t used PASS rules before so I don’t know the details of how they work, but I would research if they are still analyzed by other rules or pre-processors.

Was there a specific reason they state to not have that traffic be analyzed by an IDS? That’s a pretty broad (and generally tough thing to ensure) statement for them to make and I’m a bit curious as to their mentality behind it.

They are Microsoft. They don’t give reasons.

This is what I was given.

Since you’re using af-packet, a bpf rule is probably the best approach to keeping the unwanted data from being analyzed

Where does that hit in the chain?

Here is what Microsoft says but I have found where they specifically say filter. I think they mean allow through the firewall. Our af-packet sits on the WAN side of firewall.

UDP ports 3478 through 3481 on 13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14

How many bpf filters can be applied in the af-packet configuration in suricata.yaml?

Keep in mind that if you’re using AF_PACKET in IPS mode, so as a L2 bridge, a BPF will actually block traffic. It will cause the traffic not to be processed on the capture NIC, meaning its also not forwarded to the peering NIC.

For IDS mode, BPF will be effective.

It’s also possible to look into the kernel bypass support, but this will depend on rules to mark certain traffic for bypass.

So their article doesnt state it’s absolutely required but is worded for ensuring functionality with O365. They dont explicitly state that an IDS is going to tamper with the Teams traffic but if you do want to whitelist the entire set of 2 /14s and /18 a BPF filter will work well (if it’s not in IPS mode as stated by @vjulien).

But won’t it still only block the hosts or ip address subnets in the bpf? Not all traffic?

Leonard

From:

Victor Julien via Suricata suricata@discoursemail.com
To:

ljacobs@netsecuris.com

So again if the bpf has those specific subnets in it, IPS will still drop all traffic or just those specific subnets. If yes then it defeats the purpose of using af_packet in ips mode.

Even using a pass rule does not stop the packets from hitting another rule?

From:

Matt Clairmont via Suricata suricata@discoursemail.com
To:

ljacobs@netsecuris.com

In the middle of the link I sent, the document states;

Intrusion Detection and Prevention Guidance
If your environment has an Intrusion Detection or Prevention System (IDS/IPS) deployed for an extra layer of security for outbound connections, be sure to whitelist all Office 365 URLs.
From:

Matt Clairmont via Suricata suricata@discoursemail.com
To:

ljacobs@netsecuris.com

Correct, but that doesnt state it’s going to prevent anything from functioning incorrectly unless an IPS blocks it. I, of course, dont know your network infra but this article doesn’t state anything special about the traffic being analyzed by an IDS such as breaking the Teams traffic if it’s flowing through an IDS inline.

Edit: that goes for any IDS, regardless of vendor, closed/open source.