Snort and Cloud Services



  • Hey guys.  I'm looking for some help with Snort and my company's online cloud service application.

    For some reason, when I sign on to my company's cloud software (financial/accounting), it seems to get blocked.  The IP of the site shows up in the snort2c tables.  I clear the tables and the IP addresses show up again.

    I have created firewall rules to allow any LAN access out to the affected IPs.  I have also created a firewall alias, added the alias to a Pass List and ensured the pass list is configured for the LAN as the "Pass List" option.  Neither of these steps have worked as the IP addresses still appear in the snort2c table.

    Any suggestions?

    Thanks in advance.



  • I ended up answering my own question.  Apparently, it was the WAN interface causing the issue.  As soon as I added the pass list to the WAN side, the issue went away.



  • @PctSevens:

    I ended up answering my own question.  Apparently, it was the WAN interface causing the issue.  As soon as I added the pass list to the WAN side, the issue went away.

    A better and more secure way to handle this type of issue is to identify which rule SID (Signature ID) is causing the block and either disable that rule entirely or suppress that alert for the impacted IP (your cloud provider's address or address space).  To identify the rule causing the block, look on the ALERTS tab for the interface and filter for the blocked IP.  See which rule SID (or it may be more than one) is causing the block.  You can suppress the alert by adding the rule SID to a suppress list that filters on source or destination IP, or you can click the "X" icon under the GID:SID column to disable that rule completely.

    Bill



  • @bmeeks:

    A better and more secure way to handle this type of issue is to identify which rule SID (Signature ID) is causing the block and either disable that rule entirely or suppress that alert for the impacted IP (your cloud provider's address or address space).  To identify the rule causing the block, look on the ALERTS tab for the interface and filter for the blocked IP.  See which rule SID (or it may be more than one) is causing the block.  You can suppress the alert by adding the rule SID to a suppress list that filters on source or destination IP, or you can click the "X" icon under the GID:SID column to disable that rule completely.

    Bill

    Thanks for the direction Bill.  I did exactly as you said and found the rule causing the error.  I've since suppressed it and am no longer running into issues.


Log in to reply