Hi all (and happy thanksgiving to our US friends),
Currently I am working through rule 2006380. I will need to exclude some ranges and singular dest IPs.
As a result I make my modify.conf line as follows:
2006380 "$HOME_NET any -> any any" "$HOME_NET any -> ![$NAME1, 10.50.145.157, 10.5.162.64, 10.50.140.0/24] any"
For some reason, after killing suricata, running suricata-update, and restarting suricata I still see alerts with dest ip 10.5.162.64.
No idea why. I could create a whole new rule of course, however that surpasses the idea of having a modify.conf (I believe).
Anyone’s input is highly appreciated (as always),