Snort mailing list archives
Exclude IPs from snort rules - snort IPS
From: Forensix Land <forensixland () gmail com>
Date: Wed, 31 May 2017 22:34:28 -0400
Hi, We have snort 2.9.9.0 running as IPS. I need recommendation on how to exclude some IPs from a drop rule. According to the document, suppressing track by source or destination ip only does not log the alerts but the rule is still applied. when running as IPS, this means it still drops the traffic without logging. I am considering using "pass" rule, but I read somewhere there is no way to guarantee the rule order so the "pass" rule always wins over the "drop" or "alert" rule. Any other suggestions than modifying the rule? Thanks in advance! FL ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Exclude IPs from snort rules - snort IPS Forensix Land (May 31)
- Re: Exclude IPs from snort rules - snort IPS Joel Esler (jesler) (May 31)