Jump to content

Is it possible to create an exclusion using Source IP?


Recommended Posts

I want to create an exclusion for ssh protocol, but only coming from a specific host IP address but this is not one of the predefined options.

Is it possible to specify source IP using the Advanced Editor? If so, what are the correct 'component' and 'property' values to use?

Link to comment
Share on other sites

  • ESET Staff

As you did not share any data, I will be be sharing a very generic how to that may or may not work for you.  If it doesn't, I will need a bit more info on what you are seeing in the details of the detection.  Main assumption is that you have some sort of SSH Server process, on Linux/macOS, which is getting detections on one of our SSH Rules.

 

You will need to use an Advanced Exclusion.  I would recommend to use a "Process" and "Operations" section to state, "When a specific IP is seen starting an inbound connection to process named ssh in path /abc/efg/, it is expected and do not trigger detection."

Some notes before I show the rule:

TcpIpConnect = outbound connection

TcpIpAccept = inbound connection

 

Here is how you can exclude multiple IP addresses (ensure you are defining each address as either IPv4 or IPv6):

<definition>
    <process>
        <!-- Define attributes about your process of interest here -->
        <operator type="AND">
            <condition component="FileItem" property="FileName" condition="is" value="sshServer"/>
            <condition component="FileItem" property="Path" condition="starts" value="/your/path/here/"/>
        </operator>
    </process>
    <operations>
      	<!-- Inbound IP Addresses excluded from detection -->
        <operation type="TcpIpAccept">
            <operator type="or">
                <condition component="Network" property="IpAddressV4" condition="is" value="10.0.0.138" />
                <condition component="Network" property="IpAddressV6" condition="is" value="fe80::1ff:fe23:4567:890a" />
            </operator>
        </operation>
    </operations>
</definition>

 

If you are looking to only exclude a single IP, the "operator type" will change to the following:

<definition>
    <process>
        <!-- Define attributes about your process of interest here -->
        <operator type="AND">
            <condition component="FileItem" property="FileName" condition="is" value="sshServer"/>
            <condition component="FileItem" property="Path" condition="starts" value="/your/path/here/"/>
        </operator>
    </process>
    <operations>
      	<!-- Single inbound IP Address excluded from detection -->
        <operation type="TcpIpAccept">
            <operator type="and">
                <condition component="Network" property="IpAddressV4" condition="is" value="10.0.0.138" />
            </operator>
        </operation>
    </operations>
</definition>

 

Lastly, lets say you want to exclude both inbound and outbound connections, you can then use something similar to the following:

<definition>
    <process>
        <!-- Define attributes about your process of interest here -->
        <operator type="AND">
            <condition component="FileItem" property="FileName" condition="is" value="sshServer"/>
            <condition component="FileItem" property="Path" condition="starts" value="/your/path/here/"/>
        </operator>
    </process>
    <operations>
        <!-- Inbound IP Addresses excluded from detection -->
        <operation type="TcpIpAccept">
            <operator type="or">
                <condition component="Network" property="IpAddressV4" condition="is" value="10.0.0.138" />
                <condition component="Network" property="IpAddressV6" condition="is" value="fe80::1ff:fe23:4567:890a" />
            </operator>
        </operation>
        <!-- Outbound IP Addresses excluded from detection -->
        <operation type="TcpIpConnect">
            <operator type="or">
                <condition component="Network" property="IpAddressV4" condition="is" value="10.0.0.138" />
                <condition component="Network" property="IpAddressV6" condition="is" value="fe80::1ff:fe23:4567:890a" />
            </operator>
        </operation>
    </operations>
</definition>

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...