Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is right way to disable blocking traffic by snort?

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 998 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      I get one IP blocked all the time when uploading files.
      The blocked message say "xxx.xxx.xxx.xx
      (http_inspect) WEBROOT DIRECTORY TRAVERSAL -- 2018-11-15 10:09:44
      ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin -- 2018-11-15 09:23:16
      ET TROJAN Win32.Sality.3 Checkin -- 2018-11-15 09:51:19      "

      I tried adding this IP to the suppress list, forced-disabled the rule vi Alerts tab and changing IPS Policy Selection from Security to Balanced and so far did not get it working.

      What is the right way to do this?

      Thx for you help !

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @chudak
        last edited by bmeeks

        @chudak said in What is right way to disable blocking traffic by snort?:

        I get one IP blocked all the time when uploading files.
        The blocked message say "xxx.xxx.xxx.xx
        (http_inspect) WEBROOT DIRECTORY TRAVERSAL -- 2018-11-15 10:09:44
        ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin -- 2018-11-15 09:23:16
        ET TROJAN Win32.Sality.3 Checkin -- 2018-11-15 09:51:19        "

        I tried adding this IP to the suppress list, forced-disabled the rule vi Alerts tab and changing IPS Policy Selection from Security to Balanced and so far did not get it working.

        What is the right way to do this?

        Thx for you help !

        Did you also go to the BLOCKED tab and remove the blocked IP from that list? If you don't do that, the IP will stay blocked until you reboot the firewall no matter what you do with Suppress Lists or disabling of the rule. Once Snort alerts on and blocks an IP, it hands the blocking part over to the firewall. So the firewall will continue to block that IP until it is removed from the snort2c table in pf.

        1 Reply Last reply Reply Quote 0
        • chudakC
          chudak
          last edited by

          Yes I did, and then it was blocked again

          Finally I added a Pass list and it seems working now

          Still now sure which way is "best practice"

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @chudak
            last edited by

            @chudak said in What is right way to disable blocking traffic by snort?:

            Yes I did, and then it was blocked again

            Finally I added a Pass list and it seems working now

            Still now sure which way is "best practice"

            It depends on the rules that are firing and how your network is configured. Using the information you posted, you would need to have disabled three different rules, and possibly even more. A Pass List will prevent hosts in the pass list from ever generating a block. If you trust that host, then a Pass List is best. That way it does not matter which rules are firing against that host, it will never be blocked.

            1 Reply Last reply Reply Quote 1
            • chudakC
              chudak
              last edited by

              That seems the way now !

              Thx!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.