Snort - ignore/bypass port inspection
-
This seems like a simple request, but may not be as I dig deeper into it.
Firstly, pfsense 2.4.0-RELEASE (amd64) and snort 3.2.9.5_2 running here.I've enabled a lot of rulesets and defaults and I'm getting logged entries for portscans, etc.
However, one server I run (behind a nat rule) runs on a low privileged port that is not it's 'own'. I.e. I've switched it's port to use the old FINGER/79/tcp port.
I've disabled the specific wan rule inspections relating to FINGER as they triggered because of the different requests/protocol coming through the port.However, what I need to be able to do is disable all inspection on port 79/tcp.
How would I achieve this?
Problems I can see:-
I cannot whitelist the server IP as I do still want it protected by other rules (for http, icmp, etc)
-
I cannot whitelist the client IP as it's various internet users whose IPs change, etc
-
I only want to ignore/bypass snort processing for this one TCP port 79.
Where or how can I go about doing this please?
Thanks! -
-
So what's running on that port? What service?
-
A backup daemon, "UrBackup". I've forced it to use that port as I wish it to use that specific port.
Basically I want to bypass any snort ruleset checking on that port. -
Partly answering my own question to provide for future, and also anyone suggest the merit/correct way of doing this?
"Snort Interfaces" > "WAN Rules" > "Category Selection" and choose custom.rules
Then in defined custom rules I've netered
pass tcp any any -> any 79 (msg: "Ignore UrBackup on 79"; sid:1000001;)To allow it to bypass tcp port 79
This appears to be working!
-
Was going to suggest something like that, but I wasn't sure if custom rules over write normal rules.
I use a custom rule to record when people are accessing my sftp server sat in my DMZ.
Alert on SSH
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS
(msg: "SSH Detected";flow:established, to_server;
content:"SSH-";sid:1000001;rev:1;classtype:not-suspicious) -
This post is deleted!
