[Oisf-users] question about pass, iprep

erik clark philosnef at gmail.com
Fri Oct 27 14:23:11 UTC 2017

I have the following rule in place:

alert ip $HOME_NET any -> any any (msg:"OTX internal host talking to host
known in pulse"; flow:to_server; iprep:dst,Pulse,>,30; sid:41414141; rev:1;)

What I would like to is:

pass ip $HOME_NET any <> any any (msg:"Pass whitelist";
flow:to_server;$mywhitelistiprep:src; sid:12345;)

What I see is that iprep is a directory containing reputation files. Is
there a way I can have a whitelist specific ip reputation file referenced
in suricata.yaml?

Currently I just have the iprep directory and reputation.list file. I do
NOT want the content of the reputation.list file used to pass traffic,
since I know what is in that is no good. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171027/de598a0a/attachment.html>

More information about the Oisf-users mailing list