[Oisf-users] Whitelist IP Confirmation

Andreas Herz andi at geekosphere.org
Tue Sep 18 21:04:07 UTC 2018


On 15/09/18 at 05:12, Mesra.net CEO wrote:
> Dear Suricata
> 
> My Suricata machine are work as standalone and not as IPS, what i mean is all the traffic are streaming from Mikrotik firewall to my Suricata machine and filter by some rules before sending trigger back to Mikrotik, my script will monitor anything from fast.log by the word [wDrop] and collect the ip and send back to Mikrotik to do blocking, so my question is how can i make a rules or long list of Whitelist IP and by that Suricata will filter all those Whitelist IP and not list as [wDrop] on fast.log ?
> 
> Please advice and thank you so much

You can use the 'pass' action instead of 'alert' or 'drop' and add the
whitelist.

You could use a var like WHITELIST_IPS = [] and then use this in a pass
rule:

pass ip any any -> WHITELIST_IPS any (...)


-- 
Andreas Herz


More information about the Oisf-users mailing list