[Snort-users] Event Suppression between specific Source and Destination

Guido Hungerbuehler guh at ...15642...
Fri Dec 14 10:35:12 EST 2012


A pass rule would be without any effect because I run the sensor in 
alert-before-pass configuration.

Is there any other possibility?

On 12/14/2012 04:33 PM, Joel Esler wrote:
> On Fri, Dec 14, 2012 at 04:30:45PM +0100, Guido Hungerbuehler wrote:
>> Hi Joel
>>
>> Thanks for your feedback. But unfortunately this doesn't work in my
>> opinion.
>>
>> Assume I have Host A and Host B and I want to suppress a signature
>> if and only if traffic goes from Host A to Host B.
>>
>> If I create two suppress rules e.g.
>> Suppress if originating from A
>> and
>> Suppress if destination is B
>>
>> Then the signature is also suppressed for any other destination than
>> B for a packet originating in A. And it is also suppressed for any
>> other source than A for a packet with destination B.
>
>
> Then your alternative at this time is to create a pass rule.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>




More information about the Snort-users mailing list