Snort mailing list archives
Re: Exclude IPs from snort rules - snort IPS
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 1 Jun 2017 03:39:13 +0000
Pass rule is correct. Wherever you read the order thing is wrong. There are several ways to ensure order, all are in the manual. Sent from my iPad
On May 31, 2017, at 10:37 PM, Forensix Land <forensixland () gmail com> wrote: Hi, We have snort 2.9.9.0 running as IPS. I need recommendation on how to exclude some IPs from a drop rule. According to the document, suppressing track by source or destination ip only does not log the alerts but the rule is still applied. when running as IPS, this means it still drops the traffic without logging. I am considering using "pass" rule, but I read somewhere there is no way to guarantee the rule order so the "pass" rule always wins over the "drop" or "alert" rule. Any other suggestions than modifying the rule? Thanks in advance! FL ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Exclude IPs from snort rules - snort IPS Forensix Land (May 31)
- Re: Exclude IPs from snort rules - snort IPS Joel Esler (jesler) (May 31)