[Snort-users] Blocking based on snort alerts.

fatema bannatwala fatema.bannatwala at ...11827...
Thu Jan 5 08:19:55 EST 2017


Hi,

Just wanted to ask, if anyone blocking IPs that are triggering specific
snort alerts.
We are blocking IPs based on triggering of some snort alerts that we think
are legit and not trigger on false positive.
The reason I ask, is in past we had good amount of snort alerts that were
set to block the IPs that are triggering those alerts, but turned out that
we were blocking some legit IPs to access the network because of false
positives that were triggering those snort alerts.
Hence if anyone would like to share the sids they are using to take direct
actions like blocking at the border, when those sids get triggered.

Appreciate any comments/suggestions.

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170105/665b4278/attachment.html>


More information about the Snort-users mailing list