[Oisf-users] question about pass, iprep
erik clark
philosnef at gmail.com
Fri Oct 27 14:23:11 UTC 2017
I have the following rule in place:
alert ip $HOME_NET any -> any any (msg:"OTX internal host talking to host
known in pulse"; flow:to_server; iprep:dst,Pulse,>,30; sid:41414141; rev:1;)
What I would like to is:
pass ip $HOME_NET any <> any any (msg:"Pass whitelist";
flow:to_server;$mywhitelistiprep:src; sid:12345;)
What I see is that iprep is a directory containing reputation files. Is
there a way I can have a whitelist specific ip reputation file referenced
in suricata.yaml?
Currently I just have the iprep directory and reputation.list file. I do
NOT want the content of the reputation.list file used to pass traffic,
since I know what is in that is no good. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171027/de598a0a/attachment.html>
More information about the Oisf-users
mailing list