Snort - Whitelist IP from specific rules?



  • I have an IP being blocked. I don't want to whitelist that IP entirely, just the specific rules its triggering. Is that possible? If I go to the rule, I can only disable the rule. The only IDS/IPS I'm familiar with is Sourcefire..

    For some reason snort is blocking speed tests but only from mobile devices. It works from a PC.


  • LAYER 8 Global Moderator

    Never ceases to amaze me why someone would turn an IPS on in blocking mode without a clue to manage it ;)

    Yeah your going to have some serious growing pains in such a setup..
    https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

    Read the section on creating pass lists.



  • Thank you for the helpful reply.


  • LAYER 8 Global Moderator

    Your welcome, all the info you need is in that doc I linked too.



  • It wasn't clear to me that suppressing an alert will actually stop blocking it as well. I wrongly assumed it would still block, just not tell me... which doesn't make much sense now that I think about it.

    "When an alert is suppressed, then Snort no longer logs an alert entry (or blocks the IP address if block offenders is enabled) when a particular rule fires." -- I didn't see the part in parentheses the first time I skimmed through :)


  • LAYER 8 Global Moderator

    This is why when you enable a IPS you run it in monitor mode only for quite some time learning the traffic that is normal for your network to adjust your rules, before you ever think about turning on blocking mode.

    Turning on any IPS out of the gate in block mode is asking for nothing but false positives and issues with your users screaming XYZ doesn't work, etc.



  • I can appreciate your advice. If this was an actual production setup, and not a simple home-lab I surely would have followed that approach.



  • You also have multiple options for using a Suppress List entry. You can suppress a rule entirely for all IP addresses, or you can selectively suppress the rule based on either SOURCE or DESTINATION IP address in the packet. Hover over the little plus sign (+) icons by each alert on the ALERTS tab to see the options (they will appear in a tooltip pop-up).


Log in to reply