[Snort-users] whitelist rule to 1 ip?

Joel Esler jesler at ...1935...
Wed Mar 3 09:14:49 EST 2010

I don't understand what you mean by whitelist.

Suppression allows you to turn off alerting for a particular ip.   
That's whitelisting. If you want to write a rule for ONLY one IP, then  
you can modify the rule header to only deal with one IP instead of a  
whole variable.

Joel Esler
Sent from my iPhone

On Mar 3, 2010, at 5:11 AM, Morgan Cox <morgancoxuk at ...11827...> wrote:

> Hi.
> I did ask this a while ago but never got a response.
> What is the correct way of white-listing a rule for a specific IP .
> I know that your can suppress warnings of a rule to an IP using the  
> threshold file, but is thee any way to completely whitelist a rule -  
> to 1 IP only?
> Any help on this will be appreciated.
> Regards
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list