IDH ignorelist #9715

cnefj384fjfosk · 2023-02-03T08:26:44Z

cnefj384fjfosk
Feb 3, 2023

Is it possible to config an IDH ignorelist from the manager node: /opt/so/saltstack/local/pillar/minions/$IDH-Hostname_idh.sls ?
If yes, can you give me an example on a working config ?

If not, are there any other options to ignore alerting on scans from Tenable and other scanners i our network ?

This is from OpenCanary's documentation, where they have listen an ignorelist option:

ssh: a Secure Shell server that alerts on login attempts
ftp - a File Transfer Protocol server that alerts on login attempts
git - a Git protocol that alerts on repo cloning
http - an HTTP web server that alerts on login attempts
httpproxy - an HTTP web proxy that alerts when there is an attempt to proxy to another page
mssql - an MS SQL server that alerts on login attempts
mysql - an MYSQL server that alerts on login attempts
telnet - a Telnet server that alerts on login attempts
snmp - an SNMP server that alerts on oid requests
sip - a SIP server that alerts on sip requests
vnc - a VNC server that alerts on login attempts
redis - a Redis server that alerts on actions
tftp - a TFTP server that alerts on requests
ntp - an NTP server that alerts on NTP requests.
tcpbanner - a TCPbanner service that alerts on connection and subsequent data received events.
ignorelist - comma-separated ips or CIDRs that will ignore alerting on.

Answered by cnefj384fjfosk

Mar 27, 2023

I finally managed to solve my own request 🥇
In the default salt config file for IDH, it is possible to add an ignorelist:
/opt/so/saltstack/default/salt/idh/defaults/defaults.yaml

I added a comma seperated list of IPs that now will ignored an not generate any events/alerts.

idh:
  opencanary:
    config:
      ip.ignorelist: [xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx]

View full answer

robbiemarshall · 2023-02-06T13:30:29Z

robbiemarshall
Feb 6, 2023

Edited because this needs to be addressed via Playbook, not Suricata.

2 replies

cnefj384fjfosk Feb 6, 2023
Author

Yes, but that would only work for an IDS rule or alert right ?

My issue is the OpenCanary alerts generated by different honeypots i our environment. In a default installation of a honeypot from OpenCanary, you can configure an ignorelist, to suppress events generated from vulnerability scanners in your network.
It dosent seems to be pollible with the IDH node from Security Onion ?

robbiemarshall Feb 9, 2023

You would need to tune the Play in Playbook that is creating that alert. Documentation can be found here: https://docs.securityonion.net/en/2.3/playbook.html#tuning-plays

cnefj384fjfosk · 2023-03-27T09:43:49Z

cnefj384fjfosk
Mar 27, 2023
Author

I finally managed to solve my own request 🥇
In the default salt config file for IDH, it is possible to add an ignorelist:
/opt/so/saltstack/default/salt/idh/defaults/defaults.yaml

I added a comma seperated list of IPs that now will ignored an not generate any events/alerts.

idh:
  opencanary:
    config:
      ip.ignorelist: [xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx]

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

IDH ignorelist #9715

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

IDH ignorelist #9715

Uh oh!

Uh oh!

cnefj384fjfosk Feb 3, 2023

Replies: 2 comments · 2 replies

Uh oh!

Uh oh!

robbiemarshall Feb 6, 2023

Uh oh!

cnefj384fjfosk Feb 6, 2023 Author

Uh oh!

robbiemarshall Feb 9, 2023

Uh oh!

Uh oh!

cnefj384fjfosk Mar 27, 2023 Author

cnefj384fjfosk
Feb 3, 2023

Replies: 2 comments 2 replies

robbiemarshall
Feb 6, 2023

cnefj384fjfosk Feb 6, 2023
Author

cnefj384fjfosk
Mar 27, 2023
Author