<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>thanks for your input. That's the path I'm going down at the moment, creating my own custom rules file. The key piece I need to know is if there is timeout functionality on the rules and where, if at all, does suricata keep track of what it has blocked.
I want to be able to see an IP that was blocked by suricata, unblock it "for now" (not whitelist it entirely) but have it alert again if it generates bad traffic in the future.</p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Cooper F. Nelson <cnelson@ucsd.edu><br>
<b>Sent:</b> Wednesday, October 12, 2016 1:21 PM<br>
<b>To:</b> John Devine; oisf-users@lists.openinfosecfoundation.org<br>
<b>Subject:</b> Re: [Oisf-users] whitelist with timeout?</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Sort of.<br>
<br>
What you could do is create pass rules to whitelist the IPs and then<br>
store them in a separate rules file, like 'pass.rules'.<br>
<br>
You could then have a separate process to add/remove pass rules in this<br>
file via cron or some other mechanism, then trigger a rule reload on the<br>
suricata process.<br>
<br>
-Coop<br>
<br>
On 10/12/2016 5:49 AM, John Devine wrote:<br>
> Hi all,<br>
> <br>
> Quick question regarding suricata: is it possible to whitelist IPs with a specific timeout in suricata?<br>
> <br>
> Thanks<br>
> <br>
> <br>
> <br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>
> Site: <a href="http://suricata-ids.org" id="LPlnk109718" previewremoved="true">
http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" id="LPlnk838734" previewremoved="true">
http://suricata-ids.org/support/</a>
<div id="LPBorder_GT_14762975175860.7239833386634977" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14762975175770.08709694456246919" cellspacing="0" style="width: 90%; position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200); background-color: rgb(255, 255, 255);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14762975175780.7313601802772112" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14762975175780.8772322261099226" style="height: 200px; position: relative; margin: auto; display: table; width: 200px; background-color: rgb(255, 255, 255);">
<a id="LPImageAnchor_14762975175790.3656977153386476" href="http://suricata-ids.org/support/" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14762975175790.9226617319529431" width="200" height="200" style="display: inline-block; max-width: 250px; max-height: 250px; height: 200px; width: 200px; border-width: 0px; vertical-align: bottom;" src="https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476297516"></a></div>
</td>
<td id="TextCell_14762975175790.6989477779621112" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14762975175800.003936205808754867"></div>
<div id="LPTitle_14762975175800.9653556748551697" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14762975175810.8627544842692612" href="http://suricata-ids.org/support/" target="_blank" style="text-decoration: none;">Support</a></div>
<div id="LPMetadata_14762975175810.12260422548799732" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
suricata-ids.org</div>
<div id="LPDescription_14762975175850.24535632198131707" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
FAQ A list of frequently asked questions (and their answers) is available here: Frequently Asked Questions Training Training options are now available: training Mailinglists Several users and devel…</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<div id="LPBorder_GT_14762975175580.1994711717184443" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14762975175500.22880691304924006" cellspacing="0" style="width: 90%; position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200); background-color: rgb(255, 255, 255);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14762975175530.832277711748709" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14762975175530.8310924445535075" style="height: 200px; position: relative; margin: auto; display: table; width: 200px; background-color: rgb(255, 255, 255);">
<a id="LPImageAnchor_14762975175540.540765306549015" href="http://suricata-ids.org/" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14762975175540.1685767750135041" style="display: inline-block; max-width: 250px; max-height: 250px; height: 200px; width: 200px; border-width: 0px; vertical-align: bottom;" width="200" height="200" src="https://secure.gravatar.com/blavatar/b35fe77e09a7541f738f500f4db6b857?s=200&ts=1476297516"></a></div>
</td>
<td id="TextCell_14762975175550.7340507926883426" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14762975175560.8183579764633939"></div>
<div id="LPTitle_14762975175560.6865993040337595" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14762975175560.5969544969902407" href="http://suricata-ids.org/" target="_blank" style="text-decoration: none;">Suricata</a></div>
<div id="LPMetadata_14762975175570.8241386893068665" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
suricata-ids.org</div>
<div id="LPDescription_14762975175580.49634210481574326" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
Open Source IDS / IPS / NSM engine</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" id="LPlnk631115" previewremoved="true">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" id="LPlnk471992" previewremoved="true">
http://suricon.net</a>
<div id="LPBorder_GT_14762975757900.45550363337163424" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14762975757850.8629351861051531" cellspacing="0" style="width: 90%; position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200); background-color: rgb(255, 255, 255);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="TextCell_14762975757860.7897050246757233" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14762975757870.5694721773181226"></div>
<div id="LPTitle_14762975757870.4921379261130914" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, "Segoe UI Light", "Segoe WP Light", "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14762975757880.7610590654016416" href="http://suricon.net/" target="_blank" style="text-decoration: none;">2016 Conference in Washington, DC - suricon.net</a></div>
<div id="LPMetadata_14762975757880.5323752496257688" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
suricon.net</div>
<div id="LPDescription_14762975757890.5692585937099861" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
Doug started Security Onion in 2008 to provide a comprehensive platform for intrusion detection, network security monitoring, and log management.</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
> <br>
<br>
<br>
-- <br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
cnelson@ucsd.edu x41042<br>
<br>
</div>
</span></font></div>
</div>
</body>
</html>