[Snort-users] wihtelist one IP?

Matt Olney molney at ...1935...
Thu Dec 3 08:01:55 EST 2009


I don't think that's the most effective way to do this.  Try using the
BPF option as you launch Snort.  The advantage to this is that the
traffic involving that IP address never has to be processed by the
detection engine, which improves performance.  Should be something
relatively simple like having a file bpf.txt with "not host
217.x.x.x." and then using -F to load it.  However, I'm doing that
straight from memory as I'm watching my kids fight over the remote, so
I'll check my work when I hit the office in about an hour and post
here.

Matt

On Thu, Dec 3, 2009 at 7:16 AM, post urne <posturne at ...11827...> wrote:
> Hello,
>
> I try to whitelist one of our customer IP in my local Snort setup.
>
> After many "googling" I belive to found a way:
>
> I created 2 rules in the /etc/snort/rules/local.rules:
>
> pass tcp 217.x.x.x any -> any any ( sid:1000001 ;)
> pass tcp any any -> 217.x.x.x any ( sid:1000002 ;)
>
>
> The local.rules file is in snort.conf included, but I still get tcp
> alerts for 217.x.x.x.
>
> where is my mistake - any ideas?
>
> regards,
> tom
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list