Pass list for a specific SPort?
ryanrowe last edited by
I'd like Snort to ignore SPort == 123 for blocking hosts, there are lots of TOR based NTP servers which are causing my a headache, and rather than disable the entire rule, I'd like to do something like a Pass List, but for a specific port instead.
Is this possible?
jeffhammett last edited by
I don't think it's possible to do it the way you are asking.
One way to solve would be to use modifysid on the SID MGMT tab to exclude port 123 from the rules that are being triggered.
Another option would be to suppress the internal host(s) that are triggering these rules for each specific rule.