Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow some LAN IPs bypass snort?

    IDS/IPS
    2
    4
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • perikoP
      periko
      last edited by

      Hi, I had been testing snort on pfsense 2.4.4_p2.

      What is the correct way to bypass some IP from the LAN from snort?

      I have enable WAN and LAN.

      Thanks from your time!!!

      Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
      www.bajaopensolutions.com
      https://www.facebook.com/BajaOpenSolutions
      Quieres aprender PfSense, visita mi canal de youtube:
      https://www.youtube.com/c/PedroMorenoBOS

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Generally, especially for a home network with no external-facing services exposed (e.g., web server, mail server, DNS server, etc.), you only need to put Snort (or Suricata) on you LAN interface.

        Out-of-the-box Snort will use an automatic Pass List that consists of all locally-attached IP subnets (meaning your LAN IP block such as 192.168.0.0/24 for example). The actual IP subnet will reflect whatever is set up on your LAN interface. This automatic Pass List also includes any configured DNS servers, your default gateway and the WAN public IP address (for the WAN, just the specific IP and not the whole subnet; for the LAN the whole subnet is included).

        So this means that out-of-the box Snort will not block local host IP addresses. It still may block traffic from some external source to a local host by blocking the source IP (or destination IP if the traffic is outbound from some local host to an external host). Therefore you will normally not need to do anything extra in terms of protecting locally-attached hosts from getting blocked.

        Are you having a specific issue? Is there maybe some other subnet farther behind your LAN that is getting blocked?

        1 Reply Last reply Reply Quote 0
        • perikoP
          periko
          last edited by

          I reinstall snort to see this details u mention which I clearly understand what u say and appreciated.

          Speaking of the LAN network, suppose that u need to allow some LAN IP's not to be inspect by snort.

          Is possible to do this?

          Thanks for your clearly info again.

          Necesitan Soporte de Pfsense en México?/Need Pfsense Support in Mexico?
          www.bajaopensolutions.com
          https://www.facebook.com/BajaOpenSolutions
          Quieres aprender PfSense, visita mi canal de youtube:
          https://www.youtube.com/c/PedroMorenoBOS

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            You can use the IP Reputation feature to accomplish this. First, upload an IP list containing the IP addresses of hosts you wish to exempt from Snort rules. You do this on the IP LISTS tab of the Snort GUI. Next, go to the LAN INTERFACE SETTINGS tab in Snort and edit the LAN interface. Choose the IP REP tab. There you will enable whitelisting by adding/selecting the IP list you uploaded earlier. Details on Snort whitelisting and blacklisting can be found in the Snort docs here.

            1 Reply Last reply Reply Quote 1
            • C CSEShop2 referenced this topic on
            • C CSEShop2 referenced this topic on
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.