[Snort-users] Snort (inline) is it possible to add a whitelist ip to a rule ?

Morgan Cox morgancoxuk at ...11827...
Fri Oct 10 17:49:00 EDT 2008


I want to know if it is possible to add a whitelist ip address to a rule.

I.e :-

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL generic
sql update injection attempt"; flow:established,to_server; content:"update";
nocase; pcre:"/update[^\n]*set/i"; metadata:policy security-ips drop,
service http; reference:url,
classtype:web-application-attack; sid:13514; rev:3;)

- is it possible to add an destination IP that the rule will not apply

I am using snort inline

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081010/ecf3c013/attachment.html>

More information about the Snort-users mailing list