Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort blocking WANTED malicious traffic

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 869 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • remis4R
      remis4
      last edited by

      Snort or pfSense is blocking malicious traffic to one of my systems. the problem is that this system is a malware sandbox. Ive tried creating a PassList alias with the malware sandbox internal IP in it, and enabled the passlist on the WAN interface, but traffic is still blocked. I would like to run snort as IPS to auto-protect the other webservers and the remaining subnets, but

      2017-03-12T15:25:17-04:00 10.10.30.1 filterlog: 51,16777216,,1000000118,lagg0_vlan40,match,block,in,4,0x0,,64,20591,0,DF,6,tcp,60,10.10.40.101,208.94.116.21,43434,80,0,S,3586505129,,29200,,mss;sackOK;TS;nop;wscale
      2017-03-12T15:25:18-04:00 10.10.30.1 filterlog: 51,16777216,,1000000118,lagg0_vlan40,match,block,in,4,0x0,,64,20592,0,DF,6,tcp,60,10.10.40.101,208.94.116.21,43434,80,0,S,3586505129,,29200,,mss;sackOK;TS;nop;wscale
      2017-03-12T15:25:20-04:00 10.10.30.1 filterlog: 51,16777216,,1000000118,lagg0_vlan40,match,block,in,4,0x0,,64,20593,0,DF,6,tcp,60,10.10.40.101,208.94.116.21,43434,80,0,S,3586505129,,29200,,mss;sackOK;TS;nop;wscale
      2017-03-12T15:25:24-04:00 10.10.30.1 filterlog: 51,16777216,,1000000118,lagg0_vlan40,match,block,in,4,0x0,,64,20594,0,DF,6,tcp,60,10.10.40.101,208.94.116.21,43434,80,0,S,3586505129,,29200,,mss;sackOK;TS;nop;wscale

      the 'malicious ip' above is the result of resolving http://malware.wicar.org/data/vlc_amv.html, which is a url to test sandboxes.

      I do not want to 1:1 NAT, as I am running a WAF and HAProxy in front of the webserver hosting the sandbox (oh, and the webserver and sandbox controller are on the same server, and i cannot change that). Essentially, its an isolated subnet with rules preventing jumping subnets. the sandbox controller is the gateway for sandbox clients, and it is the only host allowed internet access from that subnet via FW Rules. The sandbox is commerical product, so Im not able to change how its configured.

      Any recommendations other than turning snort into an IDS rather than IPS?

      1 Reply Last reply Reply Quote 0
      • J
        jeffhammett
        last edited by

        The only way I can think to do what you're asking would be to put the malware sandbox on a different interface, and not run Snort on that interface. This could have other security benefits as well to keep the malware away from any other systems.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.