Newbie question about whitelisting IPs for a single rule

Rules
1

Hello,

I’m a fairly new Suricata user, so this may be a dumb question.

There’s an alert that I’m getting constantly that I’m pretty sure is a false positive. Here’s the rule (if that even matters to answer the question):

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"a7dfa1673bb090cab6b6658861f43473"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028380; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)

And it’s generating tons of alerts every 10 minutes or so. The source IP is always a specific IP address on our network which is actually an HP Digital Printer: X.X.X.54. And there are several alerts that come up all at once - all to different destination IPs, which I’m assuming are associated with HP (side question - is there a ‘standard’ way/place to research IP addresses to see who they belong to or if they’re ‘friendly/legit’, etc.?). Here are a few of the IPs:
108.138.246.17
3.236.169.53
3.236.169.120
34.207.21.235
52.119.197.163
108.138.246.124
3.239.232.14

(And the reason I think it’s a false positive is because I believe that the Neutrino malware is PC malware, so it couldn’t be running on our digital printer, right?)

Anyway, if I’m correct about those IP addresses being HP addresses, I would like to stop alerts from coming in for this particular rule if one of those IP addresses are the ‘destination’. So I would still like to be alerted for this rule as long as the destination IP isn’t one of the ones that I would like to whitelist. And I don’t necessarily want to whitelist those IP addresses for everything…just for this one rule. Hopefully this makes sense.

What’s the best way to do this? Do I somehow manually edit the actual rule directly? Or do I somehow use modify.conf or something else?

2

Hi!

A good starting point for looking at IP addresses or any IOC in general is VirusTotal, it provides a wealth of information, though be sure to look at submission dates and double check with other sources.

With regard to the specific signature sid:2028380, the Neutrino EK (Exploit Kit) has largely disappeared for a few years now. So take that into account when looking into the alert as well. Additionally, we have seen a number of false positives that alert on ja3 alone (as opposed to a ja3 (request) coupled with ja3s (response) using flowbits).

As a sort of final note, the Emerging Threats (ET) set will have sid 2028380 disabled by default in todays release.

Hope that helps!

JT

3

Hi jt!

Yes, it does help - thank you for all the information - I appreciate it! I’ll probably just end up disabling that rule too then. I’m going to call HP support to make sure that all those IPs are theirs first though.
But for my own curiosity / possible future needs, is there a way to do what I asked in my original post?
(Whitelist a few IP addresses for a particular rule only?)

Jamie

4

Yes, the easiest way is to modify the rule and change the destination and negate those IPs
Example: alert tls $HOME_NET any → [$EXTERNAL_NET, ! 108.138.246.17] any ………

1 Like
5

Hi IDSTower,

Ahhhh, OK, thank you. I thought there may be an easy solution.

Thanks a bunch! I have some other rules that I want to do this with, so this is really helpful.