Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort - ignore/bypass port inspection

    IDS/IPS
    4
    6
    1282
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andyb2000 last edited by

      This seems like a simple request, but may not be as I dig deeper into it.
      Firstly, pfsense 2.4.0-RELEASE (amd64) and snort 3.2.9.5_2 running here.

      I've enabled a lot of rulesets and defaults and I'm getting logged entries for portscans, etc.
      However, one server I run (behind a nat rule) runs on a low privileged port that is not it's 'own'. I.e. I've switched it's port to use the old FINGER/79/tcp port.
      I've disabled the specific wan rule inspections relating to FINGER as they triggered because of the different requests/protocol coming through the port.

      However, what I need to be able to do is disable all inspection on port 79/tcp.
      How would I achieve this?
      Problems I can see:

      • I cannot whitelist the server IP as I do still want it protected by other rules (for http, icmp, etc)

      • I cannot whitelist the client IP as it's various internet users whose IPs change, etc

      • I only want to ignore/bypass snort processing for this one TCP port 79.

      Where or how can I go about doing this please?
      Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        So what's running on that port? What service?

        1 Reply Last reply Reply Quote 0
        • A
          andyb2000 last edited by

          A backup daemon, "UrBackup". I've forced it to use that port as I wish it to use that specific port.
          Basically I want to bypass any snort ruleset checking on that port.

          1 Reply Last reply Reply Quote 0
          • A
            andyb2000 last edited by

            Partly answering my own question to provide for future, and also anyone suggest the merit/correct way of doing this?

            "Snort Interfaces" > "WAN Rules" > "Category Selection" and choose custom.rules

            Then in defined custom rules I've netered

            pass tcp any any -> any 79 (msg: "Ignore UrBackup on 79"; sid:1000001;)
            
            

            To allow it to bypass tcp port 79

            This appears to be working!

            1 Reply Last reply Reply Quote 0
            • NogBadTheBad
              NogBadTheBad last edited by

              Was going to suggest something like that, but I wasn't sure if custom rules over write normal rules.

              I use a custom rule to record when people are accessing my sftp server sat in my DMZ.

              Alert on SSH

              alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS
                  (msg: "SSH Detected";flow:established, to_server;
                  content:"SSH-";sid:1000001;rev:1;classtype:not-suspicious)

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • M
                Marv21 last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post