• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

What is right way to disable blocking traffic by snort?

Scheduled Pinned Locked Moved IDS/IPS
5 Posts 2 Posters 998 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chudak
    last edited by Nov 15, 2018, 6:15 PM

    I get one IP blocked all the time when uploading files.
    The blocked message say "xxx.xxx.xxx.xx
    (http_inspect) WEBROOT DIRECTORY TRAVERSAL -- 2018-11-15 10:09:44
    ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin -- 2018-11-15 09:23:16
    ET TROJAN Win32.Sality.3 Checkin -- 2018-11-15 09:51:19    "

    I tried adding this IP to the suppress list, forced-disabled the rule vi Alerts tab and changing IPS Policy Selection from Security to Balanced and so far did not get it working.

    What is the right way to do this?

    Thx for you help !

    B 1 Reply Last reply Nov 15, 2018, 9:25 PM Reply Quote 0
    • B
      bmeeks @chudak
      last edited by bmeeks Nov 15, 2018, 9:27 PM Nov 15, 2018, 9:25 PM

      @chudak said in What is right way to disable blocking traffic by snort?:

      I get one IP blocked all the time when uploading files.
      The blocked message say "xxx.xxx.xxx.xx
      (http_inspect) WEBROOT DIRECTORY TRAVERSAL -- 2018-11-15 10:09:44
      ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin -- 2018-11-15 09:23:16
      ET TROJAN Win32.Sality.3 Checkin -- 2018-11-15 09:51:19      "

      I tried adding this IP to the suppress list, forced-disabled the rule vi Alerts tab and changing IPS Policy Selection from Security to Balanced and so far did not get it working.

      What is the right way to do this?

      Thx for you help !

      Did you also go to the BLOCKED tab and remove the blocked IP from that list? If you don't do that, the IP will stay blocked until you reboot the firewall no matter what you do with Suppress Lists or disabling of the rule. Once Snort alerts on and blocks an IP, it hands the blocking part over to the firewall. So the firewall will continue to block that IP until it is removed from the snort2c table in pf.

      1 Reply Last reply Reply Quote 0
      • C
        chudak
        last edited by Nov 15, 2018, 9:28 PM

        Yes I did, and then it was blocked again

        Finally I added a Pass list and it seems working now

        Still now sure which way is "best practice"

        B 1 Reply Last reply Nov 15, 2018, 9:31 PM Reply Quote 0
        • B
          bmeeks @chudak
          last edited by Nov 15, 2018, 9:31 PM

          @chudak said in What is right way to disable blocking traffic by snort?:

          Yes I did, and then it was blocked again

          Finally I added a Pass list and it seems working now

          Still now sure which way is "best practice"

          It depends on the rules that are firing and how your network is configured. Using the information you posted, you would need to have disabled three different rules, and possibly even more. A Pass List will prevent hosts in the pass list from ever generating a block. If you trust that host, then a Pass List is best. That way it does not matter which rules are firing against that host, it will never be blocked.

          1 Reply Last reply Reply Quote 1
          • C
            chudak
            last edited by Nov 15, 2018, 9:33 PM

            That seems the way now !

            Thx!

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received