Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ignore source IP and port

    IDS/IPS
    2
    3
    1214
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kieffer87 last edited by

      I have a VM which I strictly use to download .torrent files for lab use such as the latest debian release, securityonion, etc. The problem I am running into is that Snort alerts on this traffic since some of the peers fall under the ET TOR relay/exit node IP ranges. I have added the LAN IP of my VM to a whitelist and assigned the whitelist to my Snort LAN interface (only one running Snort) but the IP is still being blocked.

      It's my understanding adding the IP to a whitelist will still log the alert but shouldn't block the IP address (though for some reason it is not working this way). Ideally I would not like to see any alerts logged in Snort for this IP as destination and port 65000.

      After doing some research I found i could enable a bpf file in snort.conf to ignore the IP all together. I made the following changes, restarted the snort interface but I'm still getting alerts. What am I missing?

      Snort.conf changes, uncommented and added:

      config bpf_file: /usr/local/etc/snort/ignore.bpf

      Created /usr/local/etc/snort/ignore.bpf:

      #Ignore Torrent Server
!(dst net 192.168.1.9 && dst port 65000)

      I have also tried:

      !(host 192.168.1.9)

      The only thing I can think of is that Snort is not being signaled to load the file at startup. Do I need to add "-F /usr/local/etc/snort/ignore.bpf" somewhere to tell Snort to load this other than snort.conf?

      1 Reply Last reply Reply Quote 0
      • J
        javcasta last edited by

        Hello.

        And try it, including 192.168.1.9/32 in the snort passlist?

        https://doc.pfsense.org/index.php/Snort_passlist

        Pass Lists are lists of IP addresses that Snort should never block. Pass lists can be created and managed on the Pass Lists tab. When an IP address is listed on a Pass List, Snort will never insert a block on that address even when malicious traffic is detected.

        Regards.

        Javier Castañón
        Técnico de comunicaciones, soporte y sistemas.

        Mi web: https://javcasta.com/

        Soporte scripting/pfSense https://javcasta.com/soporte/

        1 Reply Last reply Reply Quote 0
        • J
          javcasta last edited by

          Hi

          I see your need some thing more f.

          Try it create a custom rules in Snort for pass the traffic with dst 192.168.1.9 port 65000 and block the rest.

          alert tcp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPtcp";  sid:9000001; classtype:misc-activity; rev:1;)
alert udp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPudp";  sid:9000002; classtype:misc-activity; rev:1;)

          Regards

          Javier Castañón
          Técnico de comunicaciones, soporte y sistemas.

          Mi web: https://javcasta.com/

          Soporte scripting/pfSense https://javcasta.com/soporte/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post