Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - whitelisting a domain?

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fourseasons
      last edited by

      I would like to block .exe from being downloaded on our corporate network.

      ET POLICY PE EXE or DLL Windows file download HTTP (1:2018959) seems to be the right snort rule to do this.

      Unfortunately I get a lot of false positives from Windows Update downloads, which I of course do not want to block. Is there a way to suppress all these false positives based on a reverse dns lookup for the IP (i.e. suppress all alerts for *.microsoft.com)?

      I can't use a squid proxy because the pfsense box is also running limiters and the two don't work together.

      1 Reply Last reply Reply Quote 0
      • F
        firewalluser
        last edited by

        This post https://forum.pfsense.org/index.php?topic=87247.msg479068#msg479068 lists most of the domain names involved with MS updates.
        This post explains you cant whitelist a domain in snort https://forum.pfsense.org/index.php?topic=88914.msg491573#msg491573

        Possible work arounds.
        If you have WSUS the windows update server that downloads their updates and then push them to the workstations saving MS bandwidth, perhaps you could exclude the snort check during a certain period of time?

        If you dont have WSUS, and the workstations download the updates direct, perhaps having those updates carried out at a certain time of day and then having snort disable itself or the rules in question might also be an option.

        You might be able to find a cron job to disable snort or some of its rules for a period of time.

        Alternatively maybe you could create a route where all MS updates pass through and snort doesnt check that route?

        I havent tried any of the above, they are just some ideas which might help.

        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

        Asch Conformity, mainly the blind leading the blind.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.