1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. Snort PASSLIST and alerts…

Snort PASSLIST and alerts…

  • A

    Hello guys !!

    We're struggling a little with Snort.
    We have always worked in block mode. Till today…
    We have a client with a really poor link, so we have lots of false positives from him.

    For now, we did a passlist for their Gateway. But we don't like this, because it seems there is no more alerts in snort for passlisted ip's.

    We would have loved to check our alerts just for this specific IP, while in passlist, to be in a kind of "learning mode", and get rid of false positives (and of course continue to have the rest of the world blocked by snort).

    Is this possible? Would you guys, if not, have another way to deal with such cases?

    Thanks in advance

    0
  • bmeeks

    In Snort a Pass List entry should not prevent receiving an alert.  It just prevents that alert from going on to generate a block.  So you should still see alerts on the ALERTS tab.  The pass list is checked by the custom blocking plugin after it receives the alert but before it sends the IP address to the snort2c table.  If the alert's IP address is in the pass list, then the IP is not sent to the snort2c table but it should still show up on the ALERTS tab as an alert.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy