Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort PASSLIST and alerts…

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 619 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aniodon
      last edited by

      Hello guys !!

      We're struggling a little with Snort.
      We have always worked in block mode. Till today…
      We have a client with a really poor link, so we have lots of false positives from him.

      For now, we did a passlist for their Gateway. But we don't like this, because it seems there is no more alerts in snort for passlisted ip's.

      We would have loved to check our alerts just for this specific IP, while in passlist, to be in a kind of "learning mode", and get rid of false positives (and of course continue to have the rest of the world blocked by snort).

      Is this possible? Would you guys, if not, have another way to deal with such cases?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        In Snort a Pass List entry should not prevent receiving an alert.  It just prevents that alert from going on to generate a block.  So you should still see alerts on the ALERTS tab.  The pass list is checked by the custom blocking plugin after it receives the alert but before it sends the IP address to the snort2c table.  If the alert's IP address is in the pass list, then the IP is not sent to the snort2c table but it should still show up on the ALERTS tab as an alert.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.