[Oisf-users] question about pass, iprep
erik clark
philosnef at gmail.com
Fri Oct 27 14:27:39 UTC 2017
edit: Could I just use a reputation of 2, and say pass anything with
iprep:src,whitelist,<,2
On Fri, Oct 27, 2017 at 10:23 AM, erik clark <philosnef at gmail.com> wrote:
> I have the following rule in place:
>
> alert ip $HOME_NET any -> any any (msg:"OTX internal host talking to host
> known in pulse"; flow:to_server; iprep:dst,Pulse,>,30; sid:41414141; rev:1;)
>
> What I would like to is:
>
> pass ip $HOME_NET any <> any any (msg:"Pass whitelist"; flow:to_server;$mywhitelistiprep:src;
> sid:12345;)
>
> What I see is that iprep is a directory containing reputation files. Is
> there a way I can have a whitelist specific ip reputation file referenced
> in suricata.yaml?
>
> Currently I just have the iprep directory and reputation.list file. I do
> NOT want the content of the reputation.list file used to pass traffic,
> since I know what is in that is no good. Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171027/beac4cc7/attachment-0002.html>
More information about the Oisf-users
mailing list