What is right way to disable blocking traffic by snort?



  • I get one IP blocked all the time when uploading files.
    The blocked message say "xxx.xxx.xxx.xx
    (http_inspect) WEBROOT DIRECTORY TRAVERSAL -- 2018-11-15 10:09:44
    ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin -- 2018-11-15 09:23:16
    ET TROJAN Win32.Sality.3 Checkin -- 2018-11-15 09:51:19
    "

    I tried adding this IP to the suppress list, forced-disabled the rule vi Alerts tab and changing IPS Policy Selection from Security to Balanced and so far did not get it working.

    What is the right way to do this?

    Thx for you help !



  • @chudak said in What is right way to disable blocking traffic by snort?:

    I get one IP blocked all the time when uploading files.
    The blocked message say "xxx.xxx.xxx.xx
    (http_inspect) WEBROOT DIRECTORY TRAVERSAL -- 2018-11-15 10:09:44
    ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin -- 2018-11-15 09:23:16
    ET TROJAN Win32.Sality.3 Checkin -- 2018-11-15 09:51:19
    "

    I tried adding this IP to the suppress list, forced-disabled the rule vi Alerts tab and changing IPS Policy Selection from Security to Balanced and so far did not get it working.

    What is the right way to do this?

    Thx for you help !

    Did you also go to the BLOCKED tab and remove the blocked IP from that list? If you don't do that, the IP will stay blocked until you reboot the firewall no matter what you do with Suppress Lists or disabling of the rule. Once Snort alerts on and blocks an IP, it hands the blocking part over to the firewall. So the firewall will continue to block that IP until it is removed from the snort2c table in pf.



  • Yes I did, and then it was blocked again

    Finally I added a Pass list and it seems working now

    Still now sure which way is "best practice"



  • @chudak said in What is right way to disable blocking traffic by snort?:

    Yes I did, and then it was blocked again

    Finally I added a Pass list and it seems working now

    Still now sure which way is "best practice"

    It depends on the rules that are firing and how your network is configured. Using the information you posted, you would need to have disabled three different rules, and possibly even more. A Pass List will prevent hosts in the pass list from ever generating a block. If you trust that host, then a Pass List is best. That way it does not matter which rules are firing against that host, it will never be blocked.



  • That seems the way now !

    Thx!