Restrict Snort preprocessor rules by hosts?


  • Is it possible to restrict Snort preprocessor rules to hosts/netblocks?

    When traffic matches one of the preprocessor rules, and also matches a host/netblock alias, I would like to configure things so that it does not block and also does not create an entry in the alert log.

    For a regular rule, I can copy it into a custom rule, change it to a pass and set the src/dest to be those hosts. This will run before the download rule (because it is a pass) and in addition to not blocking, it will also not spam the alert log. However, if the rule is a preprocessor rule, thus without src/dest properties, I can't do it this way. Am I correct?

    Rather than waiting for something more hair-raising to show up, I will use traffic from a Vonage device to one of it servers as a (poor) example:
    2020-08-19
    13:15:01 3 TCP Not Suspicious Traffic 192.168.170.201
    50037 69.59.239.17
    80 119:4
    (http_inspect) BARE BYTE UNICODE ENCODING

    I could put 69.59.224.0/19 into an alias and put that into a Pass List, but that would pass all traffic going to that netblock, and would also still spam the alert log.

    I may not know enough about 119:4 BARE BYTE UNICODE ENCODING to be sure that I can disable it for all hosts, just that I trust it to be ok going to the Vonage servers. Is there any way that I can configure for this?

    thanks!
    Bill


  • Read up on the Event Suppression topic in the Snort.org documentation manual. Here is a direct link: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node19.html#SECTION00343000000000000000.

    The Snort package implements this using Suppress Lists. There is tab in the top-level Snort menu for this, or you can optionally use teh small plus ("+") icons on the ALERTS tab to automatically create suppression list entries for an alert.

    If you manually create your own Suppress List on the SUPPRESS tab, be sure to go to the INTERFACES tab, choose to edit the interface where you want to use the suppress list and then assign the list to the interface. It's generally easier to just use the icons on the ALERTS tab as that code will take care of creating and then assigning a Suppress List for the interface.

    To answer part of your original question, "No", you can't put pfSense aliases into Snort rules. The underlying Snort binary has no concept of pfSense aliases nor any method to interact with them. After the list is created, you can always go to the SUPPRESS tab and then manually edit the list if desired. You might want to edit the list to create additional filter parameters, for example.


  • @bmeeks thank you Bill! I'm ashamed that I didn't already read that before posting. I had developed the idea that suppression was "rule-atomic" if you will, but now I see the light!

    Working beautifully:
    #(http_inspect) BARE BYTE UNICODE ENCODING
    suppress gen_id 119, sig_id 4, track by_dst, ip 69.59.224.0/19