[Snort-users] Event Suppression between specific Source and Destination

Joel Esler jesler at ...1935...
Fri Dec 14 10:33:11 EST 2012


On Fri, Dec 14, 2012 at 04:30:45PM +0100, Guido Hungerbuehler wrote:
> Hi Joel
> 
> Thanks for your feedback. But unfortunately this doesn't work in my
> opinion.
> 
> Assume I have Host A and Host B and I want to suppress a signature
> if and only if traffic goes from Host A to Host B.
> 
> If I create two suppress rules e.g.
> Suppress if originating from A
> and
> Suppress if destination is B
> 
> Then the signature is also suppressed for any other destination than
> B for a packet originating in A. And it is also suppressed for any
> other source than A for a packet with destination B.


Then your alternative at this time is to create a pass rule.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




More information about the Snort-users mailing list