[Oisf-users] Whitelist IP Confirmation

Mesra.net CEO admin at mesra.my
Sun Sep 30 13:16:38 UTC 2018

Dear Sir,

Thank you for the answer, let me show you my rules for whitelist IP:

- pass ip [,, ...] any <> $HOME_NET any  (msg:"Whitelist IP group 1"; sid:1101; rev:1;)

- pass ip any any -> any any (geoip:src,SG; sid:555555555; rev:1;)

And i have another rules for MySQL attack and i set as DROP

Why i make those 2 whitelist is because one is group of multiple ip of multiple countries and another one is base of GEOIP

For example is IP belong to Singapore, on first rules i did put the IP on the list, and of course on 2nd rules of GEOIP also have that IP.

So my problem why i still found the IP on the list of DROP or wDROP from my fast.log, suppose the IP is a whitelist ealier by 2 rules. Seem sometime whitelist is not working very well, i also do some test from my pc and and trying to attack MYSQL, yes seem the whitelist is work and i didnt see my pc ip on fast.log

Any idea what i’m wrong here ? Please advice. and thank you so much

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180930/0aa77a87/attachment.html>

More information about the Oisf-users mailing list