Re: Exception to a rule pulled by pulledpork

[Jeremy Hoel <jthoel () gmail com>]

threshold.conf, or modifysid.conf to adjust the rule and exclude or limit
to rule to just the IPs you want to track.


On Mon, Mar 31, 2014 at 2:58 AM, Ilja Schumacher
<ilja.schumacher () gmail com>wrote:

> Hello guys,
>
> I have a snort that is spamming me with SIP Attack alerts because I have
> an asterisk and an external SIP trunk that uses SIP peering. Additionally i
> have my firewall drop any Sip-port Packets that do not come from the
> siptrunk IP. (So pretty safe but i do not want to disable the rule
> completely for the case of my firewall failing. Not very likely but still
> possible)
>
> How can i tell snort that inbound SIP from that one specific IP is ok
> while not modifying the rule of pulledpork because it will overwrite it
> anyways in next update. Or will it not?
>
> Many thanks for your help in advance.
>
> Cheers
> Ilja
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!