Open coelner opened 7 months ago
eldraco
commented
7 months ago Hi @coelner , thanks for the issue. Actually, this is already done by whitelisting by default Slips traffic in the whitelist file here (https://github.com/stratosphereips/StratosphereLinuxIPS/blob/master/config/whitelist.conf). And as you see spamhaus.org should be ignored. However, the fact that you still see it, means that something is not working. Let us work on this.
coelner
commented
7 months ago I see, it is the flow and not the alert. https://github.com/stratosphereips/StratosphereLinuxIPS/blob/d697955f1a7fa5578d90c22e15de19bd357ad1af/config/whitelist.conf#L78-L79
domain,spamhaus.org,both,flows
ip,3.126.246.180,both,flows# If you don't want to see these flows, change 'alerts' to 'both' for both corresponding lines
And in relation to that: https://github.com/stratosphereips/StratosphereLinuxIPS/blob/d697955f1a7fa5578d90c22e15de19bd357ad1af/slips_files/core/helpers/filemonitor.py#L76
I assume that the whitelist.conf gets reloaded afterwards or do I need to restart slips?
AlyaGomaa
commented
7 months ago hello @coelner
yes you're right, the whitelist is automatically reloaded after any change to whitelist.conf so no need to restart slips
Not sure if we should whitelist the flows though, that would be making traffic on behalf of the user and hiding it from them. as a user i'd prefer visibility over reduced FPs.
This should be solved if we can whitelist the alerts instead of the flows, clearly whitelisting of alerts is not working as it should.
Please Describe The Feature You Want Flag or hide the own traffic like those entries:
- Detected domain x.x.x.x.zen.spamhaus.org resolved with no connection threat level: low.This behaviour is shown if the interface is directly mapped into the docker and slips watches the traffic.
(Optional): Suggest A Solution set fwmark and filter for those.