[Oisf-users] Whitelist Network in Suricata

jayaprasad v jayaprasad800 at gmail.com
Tue Mar 19 06:35:00 UTC 2019


Thanks you. I only need to block the alerts for that IP range. If i use BPF
it will block everything right(flow,dns,http).

 Please let me know how can I achieve this.

Thanks,
Jayaprasad


On Fri, Mar 15, 2019 at 9:11 PM Nico Holguin <nico at iso.utah.edu> wrote:

> Create a pass rule like this [1]:
> pass ip 64.39.XX.XX/20 any -> any any (msg:"pass all traffic from/to
> 1.2.3.4"; sid:1;)
>
> If you do not want anything from that network, you could also use a more
> efficient capture filter.
>
> [1]
> https://suricata.readthedocs.io/en/suricata-4.1.3/performance/ignoring-traffic.html
>
> Nico
> ________________________________________
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on
> behalf of jayaprasad v <jayaprasad800 at gmail.com>
> Sent: Friday, March 15, 2019 4:44:02 AM
> To: Open Information Security Foundation
> Subject: [Oisf-users] Whitelist Network in Suricata
>
> Dear All,
>
> Could you please help me with the below request.
>
> I was trying to suppress/whitelist particular IP network, so that we will
> not get any more alerts from this IP range.
>
> Below are the steps which I tried to suppress but with no success.
>
> Edited /etc/suricata/threshold.config and added below entry
>
> suppress gen_id 0, sig_id 0, track by_src, ip 64.39.XX.XX/20
> suppress gen_id 1, sig_id 0, track by_src, ip 64.39.XX.XX/20
>
> Restarted the suricata service.
>
> Could you please help me and advice how to proceed on this.
>
> Thanks,
> Jayaprasad
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190319/4d0a054c/attachment.html>


More information about the Oisf-users mailing list