How do you allow a single IP to by pass a single rule? I see an alert that is associated with a SQL injection. I know that the source and destination IP and port are 100% legit. I want to exclude this single rule for the source and destination and not exclude the IPs from any other rules. I am having a hard time finding out if this can be done.
@Dv are you really a Cisco employee or is that some sort hack you did? I can't believe someone would mislead someone like you did here. That's extremely disturbing and I've reported your post.
To the op: A suppression would actually cause you even more trouble - your traffic would still be blocked, and you would now have no alerting for it! Not only that, it creates extra work Snort. What you need to do is either create a "Pass Rule" or modify your Access Control Policy to have a rule to pass this traffic without inspection.
This hasn't worked for me despite enabling new access rule with "Trust" action and no IPS policy applied. I've also White-listed the IP, but still seeing the Trusted IP registered in several Intrusion Event entries for SQL Injection attack and much more.
I'll appreciate suggestions to resolve this as it's generating lots of Intrusion events False Positives.