Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort: Suppress Source Addresses

    Scheduled Pinned Locked Moved IDS/IPS
    12 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RuddimasterR
      Ruddimaster
      last edited by

      Hi,

      we use Snort as IPS for several official Address ranges on WAN. Now we need some addresses/ranges in our official ranges, which should not be blocked, regardless matched rules.
      E.g. Some costumers won't be protected by snort or we need this to implement a honey pot.

      With other words: If someone outside want to communicate to specified own IPs, snort must not block this.

      Is this practicable  within suppress list?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        This is what a PASS LIST is for.  IP addresses on a PASS LIST are never blocked.  They will still generate alerts, but those alerts will not result in blocks.

        1.  Go create an Alias under Firewall > Aliases and put all the IP addresses you never want blocked in the alias.  You must use actual IP addresses.  FQDN aliases will not work!

        2.  Go to the PASS LIST tab and create a new list.  Leave all the checkboxes at their defaults.  In the red background alias field at the bottom of the page, begin typing the name of the alias you created in the step above.  It should auto-populate.  Select it and then save the changes.

        3.  Now go to the SNORT INTERFACES tab and edit the Snort interface where you need to use the new PASS LIST (I assume that would be your WAN).

        4.  Scroll down towards the bottom of the page and in the PASS LIST drop-down select the pass list you created and saved up above.  Save the interface changes.

        5.  Restart Snort on the interface and you are good to go.

        Bill

        1 Reply Last reply Reply Quote 0
        • RuddimasterR
          Ruddimaster
          last edited by

          Hi Bill,

          ??little bit confused?? I thought that this list is only for source-addresses?
          But in my case I want define a "destination-exclusion-list".

          e.g.
          I have a external IP range: 1.2.3.0/24. In this range I want to use the IP 1.2.3.4 for a honey pod. All bad guys over the world are able to make a port scan, penetrate or make brute force only to this address and snort shouldn't ban this.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            A PASS LIST works in either direction (source or destination).  I think I misunderstood your intent, though.  The PASS LIST would prevent the Honey Pot address from being blocked, but it may not prevent the other end of the conversation from being blocked.  For example, if IP 5.6.7.8 does a port scan to your honey pot IP, the PASS LIST would prevent the honey pot IP from being blocked, but if Snort was set to block "both" addresses in alerts, then the source of the port scan would still get blocked.  You might need to play with the "Block Which IP" setting on the INTERFACE SETTINGS tab in Snort.  You could set that to only block the DST IP.  This will impact other traffic inspection/blocking, though.  Setting it to BOTH is usually a better choice for security.

            Bill

            1 Reply Last reply Reply Quote 0
            • RuddimasterR
              Ruddimaster
              last edited by

              Other settings in "Which IP to Block" than both is a bad option.

              My idea I must replace the variable $Home_Net. I hope I am able to exclude some addresses in alias like this?
              1.2.0.0/20
              !1.2.3.4/32

              is this possible?

              http://manual.snort.org/node16.html#SECTION00312000000000000000

              The following example list will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the exception of IPs 2.2.2.2 and 2.2.2.3.
                  [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]

              Or any other suggestions?
              Otherwise this will be a long alias

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @Ruddimaster:

                My idea I must replace the variable $Home_Net. I hope I am able to exclude some addresses in alias like this?
                1.2.0.0/20
                !1.2.3.4/32

                is this possible?

                I think that should work.

                Bill

                1 Reply Last reply Reply Quote 0
                • RuddimasterR
                  Ruddimaster
                  last edited by

                  Hi,

                  how can I exclude (!1.2.3.4) a single IP.

                  -> Error message in snort variables: Only aliases are allowed.
                  In variables I can't use an !
                  [$HOME_NET,!snort_alias_exclude] doesn't work.

                  To exclude only a single IP it is possible to define a range

                  1.2.3.3-1.2.3.5
                  but how should I handle this with a bunch of IPs?

                  Dirk

                  1 Reply Last reply Reply Quote 0
                  • RuddimasterR
                    Ruddimaster
                    last edited by

                    At the meantime I have create an alias and add only a 1.2.3.0/24 to this list + unchecked all in my created pass list + add my alias to this list. Change "default" in snort interface to my created "pass list" and restart snort.
                    But if I take a look in this "Home Net" list, I still see 1.2.0.0/20 and all my other local IP-Ranges…

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by

                      The Snort GUI is not set up to work with a HOME_NET parameter such as you defined.  The HOME_NET variable contents are built dynamically each time a save is made to an interface or when Snort is manually started/restarted from the INTERFACES tab in Snort.

                      There is a way to manually edit and lock the HOME_NET variable for an interface, but it would be really locked and you will have to re-apply the fix after each update of the Snort package (or when pfSense itself is updated, as that will uninstall and reinstall Snort).  The method requires editing the template file used to produce the snort.conf configuration file.  Another downside of this approach is that it will apply to every Snort instance on the firewall.  If you only have one, then no problem; but if you have multiple Snort interfaces each would get the same HOME_NET setting.

                      Find this line in the file /usr/local/pkg/snort/snort_conf_template.inc – (it will be near the top)

                      
                      # Define Local Network #
                      ipvar HOME_NET [{$home_net}]
                      
                      

                      Remove the "{$home_net}" string and replace it with the actual IP addresses you want in HOME_NET.  Save the change.  Now go to the INTERFACES tab in Snort and start and restart the interface.  The new HOME_NET will show up in the snort.conf file.  You WILL NOT see the change in the GUI, though.

                      Bill

                      1 Reply Last reply Reply Quote 0
                      • RuddimasterR
                        Ruddimaster
                        last edited by

                        Hi Bill,

                        many thanks for your reply.

                        in the case of file-hacking, I am also able to exclude some IPs? This would be easier to administrate.

                        At this time I have only one Snort instance.
                        how does this looks like?

                        ipvar HOME_NET [{$home_net},!{Alias_snort_exclude}]
                        

                        Dirk

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @Ruddimaster:

                          Hi Bill,

                          many thanks for your reply.

                          in the case of file-hacking, I am also able to exclude some IPs? This would be easier to administrate.

                          At this time I have only one Snort instance.
                          how does this looks like?

                          ipvar HOME_NET [{$home_net},!{Alias_snort_exclude}]
                          

                          Dirk

                          You can't have the curly braces or the content within them.  Those are PHP-specific string variable delimiters.  Snort (the binary) does not understand anything in HOME_NET but numerical IP address information.  Something like this would be valid –

                          
                          ipvar HOME_NET [ 1.2.3.4/32, 10.0.0.1/24, !5.6.7.8/32 ]
                          
                          

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • RuddimasterR
                            Ruddimaster
                            last edited by

                            Hi Bill,

                            many thanks…

                            Dirk

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.