Excluding VARS from HOME_NET & EXTERNAL_NET

Happy Friday everyone!

Hopefully you can help me because I am getting a little bit lost (which is normal as I am a beginner with Suricata).
As most of you, you might have some vulnerability scanners in your network generating a lot of false positives.

I tried to exclude them using the var section of suricata.yaml like this:

vars:
  # more specific is better for alert accuracy and performance
  address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12, ![$SEC_SCANNERS]]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"

EXTERNAL_NET: "![$HOME_NET, $SEC_SCANNERS]"
#EXTERNAL_NET: "any"

SEC_SCANNERS: "[10.10.28.0/24]"

for some reason the alerts are still passing through like:

alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Where src_ip is a vulnerability scanner.

Hope you can provide me some guidance?

  1. Try to set the SEC_SCANNERS variable before HOME_NET, It might be necessary to be defined first.

  2. You could also use (e)BPF filter on the interface to completely skip this traffic from inspection (if you want that).

  3. You could also use the suppress feature if you want to exclude this traffic maybe just from specific rules.