[Snort-users] disabling rule groups based on host groups/subnets

Edward Fjellskål edwardfjellskaal at ...11827...
Tue Apr 5 12:28:51 EDT 2011

On 04/05/2011 05:19 PM, Youngquist, Jason R. wrote:
> I was wondering if there was any way to disable rule groups based on host groups or IP subnets?
> Ie. with pulledpork and the disablesid.conf file, I can disable rule groups such as "shellcode", "web-iis" etc. globally.
> With the threshold.conf, I can disable one individual rule for multiple IPs or subnets.
> What I would like to be able to do is disable rule group(s) based on host groups or IP subnets.
> Is there any way to do this besides maintaining two instances of snort?
> Thanks.
> Jason Youngquist
> Information Technology Security Engineer
> Technology Services
> Columbia College
> 1001 Rogers Street, Columbia, MO  65216
> (573) 875-7334
> jryoungquist at ...14244...
> http://www.ccis.edu


You would need to "maintain two instances of snort" kinda...

Basically you would use one snort config for all common rules, then
another snort config for you special networks...

Just a pointer to something that might be relevant :)


> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list