Whitelisting

ACE has a number of different ways that various things can be whitelisted.

Analyst (User) Whitelisting

Analysts are able to whitelist observables from the analysis tree in the GUI. Observables which are whitelisted in this way are not analyzed by the engine. They are still displayed in the analysis tree with a whitelisted tag.

An observable can be un-whitelisted from the same menu item.

The current set of whitelisted observables cannot be viewed or managed.

Limiting Analyst (User) Whitelisting

Certain observable types should not be whitelisted. The configuration setting whitelist_excluded_observable_types in the [gui] configuration settings contains a comma separated list of observable types that cannot be whitelisted in this way.

[gui]
whitelist_excluded_observable_types = ipv4_full_conversation,yara_rule,indicator,snort_sig

Note that these can still be whitelisted by analysis.

Analysis and Observable Whitelisting

Both anaylsis and observable objects can be whitelisted by one of three ways.

  • Adding a tag with a value of whitelisted.
  • Adding the directive DIRECTIVE_WHITELISTED.
  • Calling mark_as_whitelisted().

Note that calling mark_as_whitelisted() also

  • adds the whitelisted tag.
  • adds the DIRECTIVE_WHITELISTED directive.
  • sets the root analysis whitelisted boolean property to true.

Just adding the observable or directive does not whitelist the root analysis.

Root Analysis Whitelisting

Root analysis can be marked as whitelisted by setting the boolean whitelisted property to true. This prevents a root analysis from becoming an alert.

Email Whitelisting

There is special support for whitelisting emails based on sender, recipient and subject. The EmailAnalyzer module uses this support to apply whitelisting to the current root analysis object during analysis.

This method is refered to as "Brotex Whitelisting" because it came from another project called Brotex.

See here for details about this whitelisting method.

Crawlphish and Cloudphish Whitelisting and Blacklisting

The crawlphish and cloudphish analysis modules support another filtering scheme designed for URLs.

See here for details about this whitelisting method.

Submission Filtering

ACE receives work in the form of submissions. A filtering system is available that is specific to the format of that data.