[Snort-sigs] A suppressed IP address still got blocked

Joel Esler (jesler) jesler at cisco.com
Tue Dec 12 15:22:57 EST 2017


Suppression just turns off the alerts.  The action is still taking place.  You have to pass the traffic before it is blocked.

--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>





On Dec 12, 2017, at 10:00 AM, Glenn Ungaro <gungaro at necscorp.com<mailto:gungaro at necscorp.com>> wrote:

Hello All
I work for a MSP and we host several companies email. I have Snort running at the main client’s facility. 4 weeks ago the MSP’s barracuda was flagged by Snort as a possible spambot. I then put it in my suppress list and for some reason a few days ago it blocked the MSP’s barracuda again. Now I have Snort running as IDS now and the barracuda still has the same IP Address it always had. How can I make sure this won’t happen again if I turn Snort back to blocking. Snort is running on pfSense 2.2.4 with a Lanner router.
Any help is greatly appreciated.
Thank You


Glenn Ungaro
Asst. Network Administrator
Northeast Computer Corp.
gungaro at necscorp.com<mailto:gungaro at necscorp.com>
845-629-0634

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171212/fc21867d/attachment.html>


More information about the Snort-sigs mailing list