[Oisf-users] Whitelist IP Confirmation
Mesra.net CEO
admin at mesra.my
Sun Sep 30 13:16:38 UTC 2018
Dear Sir,
Thank you for the answer, let me show you my rules for whitelist IP:
whitelistip.rules
- pass ip [192.0.64.0/18,103.6.182.0/23, ...72.9.144.0/20] any <> $HOME_NET any (msg:"Whitelist IP group 1"; sid:1101; rev:1;)
whielistgeoip.rules
- pass ip any any -> any any (geoip:src,SG; sid:555555555; rev:1;)
And i have another rules for MySQL attack and i set as DROP
Why i make those 2 whitelist is because one is group of multiple ip of multiple countries and another one is base of GEOIP
For example 1.1.1.1 is IP belong to Singapore, on first rules i did put the IP on the list, and of course on 2nd rules of GEOIP also have that IP.
So my problem why i still found the IP 1.1.1.1 on the list of DROP or wDROP from my fast.log, suppose the IP is a whitelist ealier by 2 rules. Seem sometime whitelist is not working very well, i also do some test from my pc and and trying to attack MYSQL, yes seem the whitelist is work and i didnt see my pc ip on fast.log
Any idea what i’m wrong here ? Please advice. and thank you so much
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180930/0aa77a87/attachment.html>
More information about the Oisf-users
mailing list