[Oisf-users] whitelist with timeout?

John Devine john.devine at nuspire.com
Wed Oct 12 18:41:41 UTC 2016

thanks for your input. That's the path I'm going down at the moment, creating my own custom rules file. The key piece I need to know is if there is timeout functionality on the rules and where, if at all, does suricata keep track of what it has blocked. I want to be able to see an IP that was blocked by suricata, unblock it "for now" (not whitelist it entirely) but have it alert again if it generates bad traffic in the future.

From: Cooper F. Nelson <cnelson at ucsd.edu>
Sent: Wednesday, October 12, 2016 1:21 PM
To: John Devine; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] whitelist with timeout?

Sort of.

What you could do is create pass rules to whitelist the IPs and then
store them in a separate rules file, like 'pass.rules'.

You could then have a separate process to add/remove pass rules in this
file via cron or some other mechanism, then trigger a rule reload on the
suricata process.


On 10/12/2016 5:49 AM, John Devine wrote:
> Hi all,
> Quick question regarding suricata: is it possible to whitelist IPs with a specific timeout in suricata?
> Thanks
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/

FAQ A list of frequently asked questions (and their answers) is available here: Frequently Asked Questions Training Training options are now available: training Mailinglists Several users and devel...


Open Source IDS / IPS / NSM engine

> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
2016 Conference in Washington, DC - suricon.net<http://suricon.net/>
Doug started Security Onion in 2008 to provide a comprehensive platform for intrusion detection, network security monitoring, and log management.


Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161012/f8783dd1/attachment-0002.html>

More information about the Oisf-users mailing list