Suppress all alerts for IP as destination?
-
We are configuring Snort in pfSense 2.3.2. We would like alerts on inbound traffic to our primary HTTP server to fire, block the source IP but leave our HTTP server unblocked. While I know how to suppress individual alerts on a destination IP, I would like to quickly suppress all inbound alerts to the public facing server as I don't want to have to micromange the suppression list while any number of alerts are fleshed out one at a time. I don't want to white list globally as I want Snort to block the server if it were to come infected and tried to connect to an external server with behavior that would trigger the alert. Is there a way to do something like suppress * track by_dst, IP <internal server="" ip="">? Haven't been able to find full spec for suppress syntax. </internal>
-
We have a somewhat similar problem. We have several external IP addresses, one for mail, one for our web server and one for everything else. We would like snort to scan and block two of the three official IP-addresses and leave the third untouched or better phrased unscanned.
I have no real Idea how to do that. At first I thought I can put the IP which should not be scanned out of the home net or external net but I couldn't get snort to not scan the IP.
Has someone a helping hand for me?