Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pass list for a specific SPort?

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 542 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ryanrowe
      last edited by

      I'd like Snort to ignore SPort == 123 for blocking hosts, there are lots of TOR based NTP servers which are causing my a headache, and rather than disable the entire rule, I'd like to do something like a Pass List, but for a specific port instead.

      Is this possible?

      1 Reply Last reply Reply Quote 0
      • J
        jeffhammett
        last edited by

        I don't think it's possible to do it the way you are asking.

        One way to solve would be to use modifysid on the SID MGMT tab to exclude port 123 from the rules that are being triggered.

        Another option would be to suppress the internal host(s) that are triggering these rules for each specific rule.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.