[Snort-users] disabling rule groups based on host groups/subnets

Youngquist, Jason R. jryoungquist at ...14244...
Tue Apr 5 11:19:28 EDT 2011

I was wondering if there was any way to disable rule groups based on host groups or IP subnets?

Ie. with pulledpork and the disablesid.conf file, I can disable rule groups such as "shellcode", "web-iis" etc. globally.

With the threshold.conf, I can disable one individual rule for multiple IPs or subnets.

What I would like to be able to do is disable rule group(s) based on host groups or IP subnets.

Is there any way to do this besides maintaining two instances of snort?

Jason Youngquist
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist at ...14244...

More information about the Snort-users mailing list