Only block source on specific SIDs
-
We've got public facing SSH server behind a pfSense 2.3.2 firewall running SNORT. Currently, our Server LAN IP is whitelisted and we're blocking block source and dest IPs when an alert is fired. I can easily suppress certain alerts when the destination is our Server's internal IP, but I'd much prefer to just block the source IP on inbound alerts (Such as SSH scans etc that we get due to SSH traffic being forwarded through Firewall). I would also like to remove the Server LAN IP from the whitelist as I want it to get blocked if it's the source triggering an alert but I can't have alerts generated by external traffic causing the SSH server to get blocked in SNORT. Is there a way to configure the blocking to basically white list the Server IP ONLY if it's the destination while still blocking the external source IP and block the Server IP and the external IP if the server is the source for an alert?