Allow some LAN IPs bypass snort?



  • Hi, I had been testing snort on pfsense 2.4.4_p2.

    What is the correct way to bypass some IP from the LAN from snort?

    I have enable WAN and LAN.

    Thanks from your time!!!



  • Generally, especially for a home network with no external-facing services exposed (e.g., web server, mail server, DNS server, etc.), you only need to put Snort (or Suricata) on you LAN interface.

    Out-of-the-box Snort will use an automatic Pass List that consists of all locally-attached IP subnets (meaning your LAN IP block such as 192.168.0.0/24 for example). The actual IP subnet will reflect whatever is set up on your LAN interface. This automatic Pass List also includes any configured DNS servers, your default gateway and the WAN public IP address (for the WAN, just the specific IP and not the whole subnet; for the LAN the whole subnet is included).

    So this means that out-of-the box Snort will not block local host IP addresses. It still may block traffic from some external source to a local host by blocking the source IP (or destination IP if the traffic is outbound from some local host to an external host). Therefore you will normally not need to do anything extra in terms of protecting locally-attached hosts from getting blocked.

    Are you having a specific issue? Is there maybe some other subnet farther behind your LAN that is getting blocked?



  • I reinstall snort to see this details u mention which I clearly understand what u say and appreciated.

    Speaking of the LAN network, suppose that u need to allow some LAN IP's not to be inspect by snort.

    Is possible to do this?

    Thanks for your clearly info again.



  • You can use the IP Reputation feature to accomplish this. First, upload an IP list containing the IP addresses of hosts you wish to exempt from Snort rules. You do this on the IP LISTS tab of the Snort GUI. Next, go to the LAN INTERFACE SETTINGS tab in Snort and edit the LAN interface. Choose the IP REP tab. There you will enable whitelisting by adding/selecting the IP list you uploaded earlier. Details on Snort whitelisting and blacklisting can be found in the Snort docs here.


Log in to reply