Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - Whitelist IP from specific rules?

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hossius
      last edited by

      I have an IP being blocked. I don't want to whitelist that IP entirely, just the specific rules its triggering. Is that possible? If I go to the rule, I can only disable the rule. The only IDS/IPS I'm familiar with is Sourcefire..

      For some reason snort is blocking speed tests but only from mobile devices. It works from a PC.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Never ceases to amaze me why someone would turn an IPS on in blocking mode without a clue to manage it ;)

        Yeah your going to have some serious growing pains in such a setup..
        https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

        Read the section on creating pass lists.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • H
          Hossius
          last edited by

          Thank you for the helpful reply.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Your welcome, all the info you need is in that doc I linked too.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H
              Hossius
              last edited by

              It wasn't clear to me that suppressing an alert will actually stop blocking it as well. I wrongly assumed it would still block, just not tell me... which doesn't make much sense now that I think about it.

              "When an alert is suppressed, then Snort no longer logs an alert entry (or blocks the IP address if block offenders is enabled) when a particular rule fires." -- I didn't see the part in parentheses the first time I skimmed through :)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                This is why when you enable a IPS you run it in monitor mode only for quite some time learning the traffic that is normal for your network to adjust your rules, before you ever think about turning on blocking mode.

                Turning on any IPS out of the gate in block mode is asking for nothing but false positives and issues with your users screaming XYZ doesn't work, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • H
                  Hossius
                  last edited by

                  I can appreciate your advice. If this was an actual production setup, and not a simple home-lab I surely would have followed that approach.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by bmeeks

                    You also have multiple options for using a Suppress List entry. You can suppress a rule entirely for all IP addresses, or you can selectively suppress the rule based on either SOURCE or DESTINATION IP address in the packet. Hover over the little plus sign (+) icons by each alert on the ALERTS tab to see the options (they will appear in a tooltip pop-up).

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.