[Oisf-users] whitelists vrs pass rules

Andreas Herz andi at geekosphere.org
Sat Apr 1 19:44:43 UTC 2017

On 30/03/17 at 08:24, erik clark wrote:
> I am trying to whitelist a large block of networks (yahoo, google) due to
> issues with our SSL breakout causing large numbers of false positive alerts
> on phishing attempts. Snort has the whitelist file feature; However, all I
> can find for suri is implementing pass rules to not alert on the traffic.
> Is there a way to whitelist domains? It isn't in the suricata.yaml that I
> can find.

You could use the suppress feature:


You could also define a WHITELIST_NET var within the yaml and then use
it in a pass rule.

Andreas Herz

More information about the Oisf-users mailing list