Snort - ignore/bypass port inspection

  • This seems like a simple request, but may not be as I dig deeper into it.
    Firstly, pfsense 2.4.0-RELEASE (amd64) and snort running here.

    I've enabled a lot of rulesets and defaults and I'm getting logged entries for portscans, etc.
    However, one server I run (behind a nat rule) runs on a low privileged port that is not it's 'own'. I.e. I've switched it's port to use the old FINGER/79/tcp port.
    I've disabled the specific wan rule inspections relating to FINGER as they triggered because of the different requests/protocol coming through the port.

    However, what I need to be able to do is disable all inspection on port 79/tcp.
    How would I achieve this?
    Problems I can see:

    • I cannot whitelist the server IP as I do still want it protected by other rules (for http, icmp, etc)

    • I cannot whitelist the client IP as it's various internet users whose IPs change, etc

    • I only want to ignore/bypass snort processing for this one TCP port 79.

    Where or how can I go about doing this please?

  • Banned

    So what's running on that port? What service?

  • A backup daemon, "UrBackup". I've forced it to use that port as I wish it to use that specific port.
    Basically I want to bypass any snort ruleset checking on that port.

  • Partly answering my own question to provide for future, and also anyone suggest the merit/correct way of doing this?

    "Snort Interfaces" > "WAN Rules" > "Category Selection" and choose custom.rules

    Then in defined custom rules I've netered

    pass tcp any any -> any 79 (msg: "Ignore UrBackup on 79"; sid:1000001;)

    To allow it to bypass tcp port 79

    This appears to be working!

  • Galactic Empire

    Was going to suggest something like that, but I wasn't sure if custom rules over write normal rules.

    I use a custom rule to record when people are accessing my sftp server sat in my DMZ.

    Alert on SSH

    alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS
        (msg: "SSH Detected";flow:established, to_server;

  • This post is deleted!

Log in to reply