[Snort-users] Exclude IPs from snort rules - snort IPS

Forensix Land forensixland at ...11827...
Wed May 31 22:34:28 EDT 2017

We have snort running as IPS. I need recommendation on how to exclude some IPs from a drop rule.
According to the document, suppressing track by source or destination ip only does not log the alerts but the rule is still applied. when running as IPS, this means it still drops the traffic without logging.

I am considering using "pass" rule, but I read somewhere there is no way to guarantee the rule order so the "pass" rule always wins over the "drop" or "alert" rule. 

Any other suggestions than modifying the rule?

Thanks in advance!


More information about the Snort-users mailing list