[Oisf-users] Whitelist Network in Suricata
Nico Holguin
nico at iso.utah.edu
Fri Mar 15 15:41:20 UTC 2019
Create a pass rule like this [1]:
pass ip 64.39.XX.XX/20 any -> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1;)
If you do not want anything from that network, you could also use a more efficient capture filter.
[1]https://suricata.readthedocs.io/en/suricata-4.1.3/performance/ignoring-traffic.html
Nico
________________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of jayaprasad v <jayaprasad800 at gmail.com>
Sent: Friday, March 15, 2019 4:44:02 AM
To: Open Information Security Foundation
Subject: [Oisf-users] Whitelist Network in Suricata
Dear All,
Could you please help me with the below request.
I was trying to suppress/whitelist particular IP network, so that we will not get any more alerts from this IP range.
Below are the steps which I tried to suppress but with no success.
Edited /etc/suricata/threshold.config and added below entry
suppress gen_id 0, sig_id 0, track by_src, ip 64.39.XX.XX/20
suppress gen_id 1, sig_id 0, track by_src, ip 64.39.XX.XX/20
Restarted the suricata service.
Could you please help me and advice how to proceed on this.
Thanks,
Jayaprasad
More information about the Oisf-users
mailing list