Snort - Whitelist IP from specific rules?

IDS/IPS
Log in to reply
  • H

    I have an IP being blocked. I don't want to whitelist that IP entirely, just the specific rules its triggering. Is that possible? If I go to the rule, I can only disable the rule. The only IDS/IPS I'm familiar with is Sourcefire..

    For some reason snort is blocking speed tests but only from mobile devices. It works from a PC.

    0
  • johnpoz
    LAYER 8 Global Moderator

    Never ceases to amaze me why someone would turn an IPS on in blocking mode without a clue to manage it ;)

    Yeah your going to have some serious growing pains in such a setup..
    https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

    Read the section on creating pass lists.

    0
  • H

    Thank you for the helpful reply.

    0
  • johnpoz
    LAYER 8 Global Moderator

    Your welcome, all the info you need is in that doc I linked too.

    0
  • H

    It wasn't clear to me that suppressing an alert will actually stop blocking it as well. I wrongly assumed it would still block, just not tell me... which doesn't make much sense now that I think about it.

    "When an alert is suppressed, then Snort no longer logs an alert entry (or blocks the IP address if block offenders is enabled) when a particular rule fires." -- I didn't see the part in parentheses the first time I skimmed through :)

    0
  • johnpoz
    LAYER 8 Global Moderator

    This is why when you enable a IPS you run it in monitor mode only for quite some time learning the traffic that is normal for your network to adjust your rules, before you ever think about turning on blocking mode.

    Turning on any IPS out of the gate in block mode is asking for nothing but false positives and issues with your users screaming XYZ doesn't work, etc.

    0
  • H

    I can appreciate your advice. If this was an actual production setup, and not a simple home-lab I surely would have followed that approach.

    0
  • bmeeks

    You also have multiple options for using a Suppress List entry. You can suppress a rule entirely for all IP addresses, or you can selectively suppress the rule based on either SOURCE or DESTINATION IP address in the packet. Hover over the little plus sign (+) icons by each alert on the ALERTS tab to see the options (they will appear in a tooltip pop-up).

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy