Snort mailing list archives
Re: wihtelist one IP?
From: Matt Olney <molney () sourcefire com>
Date: Thu, 3 Dec 2009 08:01:55 -0500
I don't think that's the most effective way to do this. Try using the BPF option as you launch Snort. The advantage to this is that the traffic involving that IP address never has to be processed by the detection engine, which improves performance. Should be something relatively simple like having a file bpf.txt with "not host 217.x.x.x." and then using -F to load it. However, I'm doing that straight from memory as I'm watching my kids fight over the remote, so I'll check my work when I hit the office in about an hour and post here. Matt On Thu, Dec 3, 2009 at 7:16 AM, post urne <posturne () gmail com> wrote:
Hello, I try to whitelist one of our customer IP in my local Snort setup. After many "googling" I belive to found a way: I created 2 rules in the /etc/snort/rules/local.rules: pass tcp 217.x.x.x any -> any any ( sid:1000001 ;) pass tcp any any -> 217.x.x.x any ( sid:1000002 ;) The local.rules file is in snort.conf included, but I still get tcp alerts for 217.x.x.x. where is my mistake - any ideas? regards, tom ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- wihtelist one IP? post urne (Dec 03)
- Re: wihtelist one IP? Matt Olney (Dec 03)
- Re: wihtelist one IP? Tommie Giles (Dec 03)
- Re: wihtelist one IP? Seth Art (Dec 03)
- Re: wihtelist one IP? post urne (Dec 03)
- Re: wihtelist one IP? Seth Art (Dec 03)