Snort custom rule, alert only no blocking, Snort is in blocking mode



  • Hi,

    I am writing custom rules however i want them to be in alert mode only, not block..the snort configuration now is in blocking mode.

    is there a way to exclude some rules from being blocked if they are matched?

    any attribute in the rule itself?

    cheers



  • in other words, can i have exception for rules not to block traffic, although snort is in blocking mode. (block offenders is selected)...



  • @compuomari said in Snort custom rule, alert only no blocking, Snort is in blocking mode:

    in other words, can i have exception for rules not to block traffic, although snort is in blocking mode. (block offenders is selected)...

    No, the Snort package does not allow that option. You might could use a Pass List entry for a given host or group of hosts (via a firewall-defined alias) to prevent blocking of the specified host. But a Pass List would mean any host in the list would never be blocked. That may not be what you want.

    The Suricata package has this functionality. You can implement a mode in that package where only rules with the action DROP will block traffic. I would like to add this capability to Snort, but the internal workings of the Snort binary do not make this an easy task.

    Here is a link to a Sticky Post in this sub-forum about the "Block on DROP Only" mode of operation possible in the Suricata package.