Only Block Inbound Detected Traffic

j3ffr3y

Hello,

I have Snort setup and running currently in detection only mode.  I only have it running on the WAN interface.  However, I see many detections on traffic with a source of my internal lan.  I want to enable blocking, but I don't want to block any outbound traffic from our internal network.  Is there a way to do this?  I currently have my internal networks as part of my Home_Net and created passlists with my internal networks in it.

What am I missing?

Thanks,

Jeff

j3ffr3y

OK…

Let's try a different question:

If I add IPs to a suppress list, will that cause Snort to ignore that rule for that IP and allow the traffic?  Or does it just prevent it from being logged?

bmeeks

@j3ffr3y:

OK…

Let's try a different question:

If I add IPs to a suppress list, will that cause Snort to ignore that rule for that IP and allow the traffic?  Or does it just prevent it from being logged?

It will cause Snort to not throw up an alert for that rule and thus will not block the traffic, however the rule will still be evaluated.  Snort just won't alert on the outcome.  So Snort will spend CPU cycles to examine network traffic against that rule, but no matter the outcome of that examination no alert will be generated.  In the pfSense Snort package, no alert means no block (when blocking is enabled).

If you disable a rule as compared to suppressing it, then that rule is not even evaluated (it is skipped entirely).  Thus disabling rules saves CPU cycles.  With most folks using today's high-speed hardware, there is no huge practical difference between the two since most firewalls will have lots of CPU cycles to spare anyway.  However, if you have a stretched firewall due to either high traffic and/or a low-end CPU, then disabling a rule is preferable to suppressing it.

EDIT: after reading back through my response later, I need to clarify it a bit.  When you are trying to ignore a rule for only a specific IP or network segment, then suppressing the rule is the option to use.  When you disable a rule, it is disabled for all IP addresses.  You can't selectively disable by IP, but you can selectively suppress by IP.  I sort of glossed over your use of "IP for that rule" in my initial reply, and that was a mistake.  If you only want to bypass a rule for a specific IP or group of IPs, then you can only use the suppress option.  When you suppress a rule, you get no alerts and thus essentially no further indications that the traffic is still present.

Another option is the PASS LIST.  Here you can insert IP addresses that will never be blocked whether they trigger a rule or not.  The Pass List will whitelist an IP address and shield it from all the rules.  So no matter which nor how many rules fire on that IP address, it will never be blocked (when blocking is enabled), but all of the alerts will show up on the ALERTS tab so you know the events are occurring in your network.

So choosing Suppress versus Pass List versus Disable requires carefully thinking through exactly what you want to accomplish.  Some rules can safely be disabled.  Maybe they represent conditions or traffic that just can't happen in your network and there is no need to waste CPU resources checking for something that can never happen.  A Pass List is useful if you have some critical device that you explicitly trust and you never want it blocked no matter what rules trigger.  Suppress Lists allow you to be quite selective by tailoring rule behavior to specific IP addresses.

Bill

genesislubrigas

wow bmeeks is back  now i forgot my issue that bmeeks can answer.