Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and Cloud Services

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 602 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PctSevens
      last edited by

      Hey guys.  I'm looking for some help with Snort and my company's online cloud service application.

      For some reason, when I sign on to my company's cloud software (financial/accounting), it seems to get blocked.  The IP of the site shows up in the snort2c tables.  I clear the tables and the IP addresses show up again.

      I have created firewall rules to allow any LAN access out to the affected IPs.  I have also created a firewall alias, added the alias to a Pass List and ensured the pass list is configured for the LAN as the "Pass List" option.  Neither of these steps have worked as the IP addresses still appear in the snort2c table.

      Any suggestions?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • P
        PctSevens
        last edited by

        I ended up answering my own question.  Apparently, it was the WAN interface causing the issue.  As soon as I added the pass list to the WAN side, the issue went away.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @PctSevens:

          I ended up answering my own question.  Apparently, it was the WAN interface causing the issue.  As soon as I added the pass list to the WAN side, the issue went away.

          A better and more secure way to handle this type of issue is to identify which rule SID (Signature ID) is causing the block and either disable that rule entirely or suppress that alert for the impacted IP (your cloud provider's address or address space).  To identify the rule causing the block, look on the ALERTS tab for the interface and filter for the blocked IP.  See which rule SID (or it may be more than one) is causing the block.  You can suppress the alert by adding the rule SID to a suppress list that filters on source or destination IP, or you can click the "X" icon under the GID:SID column to disable that rule completely.

          Bill

          1 Reply Last reply Reply Quote 0
          • P
            PctSevens
            last edited by

            @bmeeks:

            A better and more secure way to handle this type of issue is to identify which rule SID (Signature ID) is causing the block and either disable that rule entirely or suppress that alert for the impacted IP (your cloud provider's address or address space).  To identify the rule causing the block, look on the ALERTS tab for the interface and filter for the blocked IP.  See which rule SID (or it may be more than one) is causing the block.  You can suppress the alert by adding the rule SID to a suppress list that filters on source or destination IP, or you can click the "X" icon under the GID:SID column to disable that rule completely.

            Bill

            Thanks for the direction Bill.  I did exactly as you said and found the rule causing the error.  I've since suppressed it and am no longer running into issues.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.