"ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group" # changes with updates.

1,585 views
Skip to first unread message

s...@lyricalsecurity.com

unread,
Jun 26, 2018, 5:59:53 AM6/26/18
to security-onion
Hello all,

I had previously suppressed this Alert for group 160 sourcing from a specific IP, using sig_id 2522319. After a threat-feed update it now triggers as group 161 using sig_id 2522321 for the same specific IP.

I note, the IP I am trying to allow does not appear in the list that these group numbers seem to apply too. e.g., the rule refers to 151.x.x.x, 153.x.x.x, where the IP I want to allows falls under 158.x.x.x

Is there a way to avoid changing threshold.conf every time the threatfeed update changes the group this IP is listed in (which places it under a differnt sig_id), yet still prevent this IP from triggering this alert?

Steven.

Wes Lambert

unread,
Jun 26, 2018, 5:09:36 PM6/26/18
to securit...@googlegroups.com
Have you considered using BPF, as described here?


Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.


--

Steven J

unread,
Jun 27, 2018, 3:20:26 AM6/27/18
to securit...@googlegroups.com
Thank you Wes, I can surely use this in other parts of my sensor tuning.

My trouble with these Tor Nodes is, when the Threat feed decides an IP belongs in a different group, that new group has a different sig_id, so my suppression no longer works. 
 

Steven Malm
Roc-Analyst I
Lyrical Security
174 Spadina Ave, Suite 400, Toronto, ON, Canada - M5T 2C2

On Tue, Jun 26, 2018 at 5:09 PM, Wes Lambert <wlamb...@gmail.com> wrote:
Have you considered using BPF, as described here?


Thanks,
Wes
On Tue, Jun 26, 2018 at 5:59 AM <s...@lyricalsecurity.com> wrote:
Hello all,

I had previously suppressed this Alert for group 160 sourcing from a specific IP, using sig_id 2522319. After a threat-feed update it now triggers as group 161 using sig_id 2522321 for the same specific IP.

I note, the IP I am trying to allow does not appear in the list that these group numbers seem to apply too. e.g., the rule refers to 151.x.x.x, 153.x.x.x, where the IP I want to allows falls under 158.x.x.x

Is there a way to avoid changing threshold.conf every time the threatfeed update changes the group this IP is listed in (which places it under a differnt sig_id), yet still prevent this IP from triggering this alert?

Steven.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
--

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages