[Oisf-users] whitelists vrs pass rules
Andreas Herz
andi at geekosphere.org
Sat Apr 1 19:44:43 UTC 2017
On 30/03/17 at 08:24, erik clark wrote:
> I am trying to whitelist a large block of networks (yahoo, google) due to
> issues with our SSL breakout causing large numbers of false positive alerts
> on phishing attempts. Snort has the whitelist file feature; However, all I
> can find for suri is implementing pass rules to not alert on the traffic.
>
> Is there a way to whitelist domains? It isn't in the suricata.yaml that I
> can find.
You could use the suppress feature:
http://suricata.readthedocs.io/en/latest/performance/ignoring-traffic.html
You could also define a WHITELIST_NET var within the yaml and then use
it in a pass rule.
--
Andreas Herz
More information about the Oisf-users
mailing list