[Oisf-users] question of suricata white list

郑博文 anshuitian at gmail.com
Wed Oct 17 07:12:49 UTC 2012


  Sorry for my poor English.
>
>   I just want take it for an example.  I know if my HOME_NET is
> 192.168.0.0/16. I can set it to HOME_NET [192.168.0.0/16,!192.168.0.10].
> So, any rule may not be detected for 192.168.0.10. But this is not I am
> expected. I still want most of rules to protect that server.
>
>   I mean, if some rules alert and drop a packet for a mistake, we may
> disable that rule. But if we do so, all other ip in my home net may not be
> protected by this rule.
>
>   So, my question is , can I just disable some rules for specific ip ?
>
>   I know I can change these rules’ Source and destination Address one by
> one. But it’s too hard if the number of the rules is very large.
>   I want to known whether I can simply set a configure file like following
> to do this thing. Or can some external plug-in module do this job?
>
> The first is ip. The following is the sid should exclude for the ip.
> 192.168.0.10    2000001,2000002-2000005,2000006
> 192.168.0.0/24 2000007,2000008
>
> Thanks.
>
> 2012/10/17 Peter Manev <petermanev at gmail.com>
>
>> Hi,
>>
>> What is your home net variable ?
>> and could you share the rule?
>>
>> thank you
>>
>> On Wed, Oct 17, 2012 at 5:09 AM, 郑博文 <anshuitian at gmail.com> wrote:
>>
>>> I'm sorry, the picture is bad.
>>>
>>>
>>>
>>> 2012/10/17 郑博文 <anshuitian at gmail.com>
>>>
>>>> Hello everybody:
>>>>     I recently learned suricata. now, I using suricata by IPS mode to
>>>> protect two servers (192.168.0.10 and 192.168.0.11), but I want to set rule
>>>> that id is 200,001 doesn't works to 192.168.0.10, but works to
>>>> 192.168.0.11. What should I do?  If there are many rules like 200,001,
>>>> What should I do?
>>>>
>>>>     There is my topology:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>     Thanks very much!
>>>>
>>>
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121017/8d6d5a86/attachment-0002.html>


More information about the Oisf-users mailing list