Snort mailing list archives

Re: New Suppress

From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Thu, 24 Sep 2009 09:07:04 -0500

Quoting Jason Wallace <jason.r.wallace () gmail com>:

I would like to suppress all alerts from our external vulnerability
scanning service. Their scans can come from numerous IP ranges.


I use PASS rules for that.  The problem with suppress is that the test  
packets pass through the rule base and get inspected, then get  
ignored.  The PASS rule fires first and ends the analysis.

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

New Suppress Jason Wallace (Sep 24)
- Re: New Suppress JJ Cummings (Sep 24)
  - Re: New Suppress rcombs (Sep 24)
- Re: New Suppress Jack Pepper (Sep 24)
  - Re: New Suppress Jason Brvenik (Sep 24)