Error when applying IP filter to Sigma rules.

[Johnny111125]

Version

2.4.90

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

200 gb

Storage for /nsm

150 gb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am trying to filter out my security scanner from triggering certain Sigma rules, however it seems the filter is breaking the rule. After applying the filter, the alert will not fire at all. I am also receiving an error when testing the filter in Kibana.
Am I applying this correctly?

Error when testing in Kibana.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

Can you share one of the actual alerts, so we can see what fields are included?

[Johnny111125]

This is one of the alerts. I would like to block 192.168.1.223 from triggering this.

Security Onion IDH - SSH Accessed

[InfosecGoon]

Does a filter of "source.ip:192.168.1.223" do it?

It looks like the issue is that your current filter is trying to run a CIDR function on a non-IP field, so the query isn't being understood.

[Johnny111125]

Yes, that works. Thanks!

Now, how do I filter multiple IPs?

[Johnny111125]

I thought by just adding a second filter I would be able to filter another IP, however that did not work. What is the proper way to filter multiple IPs?