Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exclude IPs from snort rules - snort IPS

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 1 Jun 2017 03:39:13 +0000
Pass rule is correct.  Wherever you read the order thing is wrong.  There are several ways to ensure order, all are in 
the manual.  

Sent from my iPad


On May 31, 2017, at 10:37 PM, Forensix Land <forensixland () gmail com> wrote:

Hi,
We have snort 2.9.9.0 running as IPS. I need recommendation on how to exclude some IPs from a drop rule.
According to the document, suppressing track by source or destination ip only does not log the alerts but the rule is 
still applied. when running as IPS, this means it still drops the traffic without logging.

I am considering using "pass" rule, but I read somewhere there is no way to guarantee the rule order so the "pass" 
rule always wins over the "drop" or "alert" rule. 

Any other suggestions than modifying the rule?



Thanks in advance!

FL
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: