Snort mailing list archives

Exclude IPs from snort rules - snort IPS

From: Forensix Land <forensixland () gmail com>
Date: Wed, 31 May 2017 22:34:28 -0400

Hi,
We have snort 2.9.9.0 running as IPS. I need recommendation on how to exclude some IPs from a drop rule.
According to the document, suppressing track by source or destination ip only does not log the alerts but the rule is 
still applied. when running as IPS, this means it still drops the traffic without logging.

I am considering using "pass" rule, but I read somewhere there is no way to guarantee the rule order so the "pass" rule 
always wins over the "drop" or "alert" rule. 

Any other suggestions than modifying the rule?



Thanks in advance!

FL
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Exclude IPs from snort rules - snort IPS Forensix Land (May 31)
- Re: Exclude IPs from snort rules - snort IPS Joel Esler (jesler) (May 31)