Hello.
How can I exclude one network from the scan? For example 192.168.8.0/24. I can’t find an example of how this is done. Tell me where and how you need to register the exception so that it works?
Hi.
I interpret your question to mean how to exclude a subnet from suricata rule matching and logging.
Have a look at Trusted IP's Where a put
First of all, Suricata does not scan. In addition to what syoc wrote, you can set a bpf filter to exclude this network, see 9.7. Ignoring Traffic — Suricata 6.0.2 documentation and add it into the interface section of the yaml like "bpf-filter: “not host 192.168.8”
sudo suricata -i ens192 -v not net 192.168.8.0/24
Did I make the right command? The server takes a very long time to process the command.
sudo suricata -i ens192 -v not net 192.168.8.0/24
With this command, I broke the server.
hould I make an exception for each address?
example
suppress gen_id 1, sig_id 2002087, track by_src, ip 172.16.51.1
suppress gen_id 0, sig_id 0, track by_src, ip 172.16.51.1
suppress gen_id 1, sig_id 0, track by_src, ip 172.16.51.1
suppress gen_id 1, sig_id 2002087, track by_src, ip 172.16.51.2
suppress gen_id 0, sig_id 0, track by_src, ip 172.16.51.2
suppress gen_id 1, sig_id 0, track by_src, ip 172.16.51.2
…
You write the bpf filter “not net 192.168.8.0/24” but in the screenshot we see that you used “not net 172.16.51.0/24”.
In addition to that how does your config and setup look like?
What do you mean by “broke the server” exactly?
Network 192.168.8.0/24 for example. Let’s forget this network. She was a test one.
At work, I want to add the 172.16.51.0/24 network to the exception.
sudo suricata -i ens192 -v not net 172.16.51.0/24 - the command was executed for 2 days. I didn’t wait and canceled. Configured for the interface connected to the Cisco spam port.
Second try. Made an exception with a subnet mask. Made an exception without a subnet mask. The rule does not work…
