[Snort-sigs] A suppressed IP address still got blocked
Joel Esler (jesler)
jesler at cisco.com
Tue Dec 12 15:22:57 EST 2017
Suppression just turns off the alerts. The action is still taking place. You have to pass the traffic before it is blocked.
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
On Dec 12, 2017, at 10:00 AM, Glenn Ungaro <gungaro at necscorp.com<mailto:gungaro at necscorp.com>> wrote:
I work for a MSP and we host several companies email. I have Snort running at the main client’s facility. 4 weeks ago the MSP’s barracuda was flagged by Snort as a possible spambot. I then put it in my suppress list and for some reason a few days ago it blocked the MSP’s barracuda again. Now I have Snort running as IDS now and the barracuda still has the same IP Address it always had. How can I make sure this won’t happen again if I turn Snort back to blocking. Snort is running on pfSense 2.2.4 with a Lanner router.
Any help is greatly appreciated.
Asst. Network Administrator
Northeast Computer Corp.
gungaro at necscorp.com<mailto:gungaro at necscorp.com>
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs