Ignore source IP and port



  • I have a VM which I strictly use to download .torrent files for lab use such as the latest debian release, securityonion, etc. The problem I am running into is that Snort alerts on this traffic since some of the peers fall under the ET TOR relay/exit node IP ranges. I have added the LAN IP of my VM to a whitelist and assigned the whitelist to my Snort LAN interface (only one running Snort) but the IP is still being blocked.

    It's my understanding adding the IP to a whitelist will still log the alert but shouldn't block the IP address (though for some reason it is not working this way). Ideally I would not like to see any alerts logged in Snort for this IP as destination and port 65000.

    After doing some research I found i could enable a bpf file in snort.conf to ignore the IP all together. I made the following changes, restarted the snort interface but I'm still getting alerts. What am I missing?

    Snort.conf changes, uncommented and added:

    config bpf_file: /usr/local/etc/snort/ignore.bpf
    

    Created /usr/local/etc/snort/ignore.bpf:

    #Ignore Torrent Server
    !(dst net 192.168.1.9 && dst port 65000)
    

    I have also tried:

    !(host 192.168.1.9)
    

    The only thing I can think of is that Snort is not being signaled to load the file at startup. Do I need to add "-F /usr/local/etc/snort/ignore.bpf" somewhere to tell Snort to load this other than snort.conf?



  • Hello.

    And try it, including 192.168.1.9/32 in the snort passlist?

    https://doc.pfsense.org/index.php/Snort_passlist

    Pass Lists are lists of IP addresses that Snort should never block. Pass lists can be created and managed on the Pass Lists tab. When an IP address is listed on a Pass List, Snort will never insert a block on that address even when malicious traffic is detected.

    Regards.



  • Hi

    I see your need some thing more f.

    Try it create a custom rules in Snort for pass the traffic with dst 192.168.1.9 port 65000 and block the rest.

    alert tcp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPtcp";  sid:9000001; classtype:misc-activity; rev:1;)
    alert udp any any -> !192.168.1.9/32 65000 (msg:"IgnoreIPudp";  sid:9000002; classtype:misc-activity; rev:1;)
    
    

    Regards


Log in to reply