[Snort-users] Exclude IPs from snort rules - snort IPS
forensixland at ...11827...
Wed May 31 22:34:28 EDT 2017
We have snort 126.96.36.199 running as IPS. I need recommendation on how to exclude some IPs from a drop rule.
According to the document, suppressing track by source or destination ip only does not log the alerts but the rule is still applied. when running as IPS, this means it still drops the traffic without logging.
I am considering using "pass" rule, but I read somewhere there is no way to guarantee the rule order so the "pass" rule always wins over the "drop" or "alert" rule.
Any other suggestions than modifying the rule?
Thanks in advance!
More information about the Snort-users