Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to whitelist Anydesk (Remote Access Software) in snort?

    Scheduled Pinned Locked Moved IDS/IPS
    12 Posts 4 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noor92
      last edited by

      Hi everyone,
      I have configured snort on my 2 WAN interfaces in my PFsense and selected some rules, like malware, scan, Trojan, exploit, DDOS, I have downloaded GPLV3 community rules, ET rules and snort registered rules.
      everything is working fine except Anydesk traffic is getting blocked, I have a couple of systems in my LAN which clients access them using Anydesk from the internet, after installing and enabling snort, they are not able to access the system, I wounder if anyone can guide me how to whitless Anydesk in snort. following alerts belong to the Anydesk traffics blocked by snort.

      Alerts.jpg

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @noor92
        last edited by

        @noor92 said in How to whitelist Anydesk (Remote Access Software) in snort?:

        after installing and enabling snort

        I don't get it ....
        Normally, after installing snort, the scan-and-warning mode should be enabled, not the blocking mode.
        After weeks (but it will take you longer) of log analysing, taking care of every false positive (like your issue right now - which looks to me like a simple protocol error as services can not answer before a clients asks something .... except if "divine mode" is actvated) you could consider activating blocking mode.

        Btw : you have a program that really communicates over the Internet using http (port 80) ? Consider that as a huge security risk. Goto 443 - or stop using it.

        Look up all the snort post of forum user @bmeeks, he's posting every week many snort usage tips.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        N 1 Reply Last reply Reply Quote 0
        • N
          noor92 @Gertjan
          last edited by

          @Gertjan The program which is using the 80 and 443 port is Anydesk software, (Anydesk is a remote access software same like TeamViewer) as I mentioned we are using anydesk software to access our systems on our LAN from the internet.

          The sources IP addresses that you can see on logs are all the Anydesk IPs.

          What I want to do is to whitelist Anydesk in snort, and I do not know how to accomplish this, should I configure IP pass list in snort by adding all the IPs which belong to Anydesk?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @noor92
            last edited by bmeeks

            @noor92 said in How to whitelist Anydesk (Remote Access Software) in snort?:

            @Gertjan The program which is using the 80 and 443 port is Anydesk software, (Anydesk is a remote access software same like TeamViewer) as I mentioned we are using anydesk software to access our systems on our LAN from the internet.

            The sources IP addresses that you can see on logs are all the Anydesk IPs.

            What I want to do is to whitelist Anydesk in snort, and I do not know how to accomplish this, should I configure IP pass list in snort by adding all the IPs which belong to Anydesk?

            Whitelisting is not what you want in this case.

            You broke the cardinal rule of IDS/IPS that I preach about and that @Gertjan mentioned. You installed the package and immediately enabled blocking without first carefully selecting your rules and evaluating your network traffic for several weeks in non-blocking mode to see what false positives occur so you could disable those rules. So now you are reaping the result of not following the suggested course. You are getting nuisance blocks.

            You have a series of clear false-positive rules from the HTTP_INSPECT preprocessor in that ALERTS tab capture. If you search this forum for a bit, you will find a lot of posts where this is discussed and what to do about it.

            The IDS/IPS packages are not a good fit for inexperienced IT Security admins. These packages are not like anti-virus products that you can just install, update, and forget about. They require constant maintenance and tuning. You also need a firm foundation in the threats out there (how they work) as well as knowledge of the rules syntax and how they detect the threats. Finally, it stands to reason you need to know how to actually configure and operate the package in question. Installing the IDS/IPS packages on a home network for experimentation and learning is one thing, but installing them on a commercial production network without lots of experience configuring and maintaining them is a recipe for disaster.

            N 1 Reply Last reply Reply Quote 2
            • NogBadTheBadN
              NogBadTheBad
              last edited by

              @bmeeks said in How to whitelist Anydesk (Remote Access Software) in snort?:

              You have a series of clear false-positive rules from the HTTP_INSPECT preprocessor in that ALERTS tab capture. If you search this forum for a bit, you will find a lot of posts where this is discussed and what to do about it.

              You can disable the pre proc rules here if needed:-

              Screenshot 2020-10-22 at 20.40.45.png

              @bmeeks is the filtering option broken ?

              Screenshot 2020-10-22 at 20.44.02.png

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              bmeeksB 2 Replies Last reply Reply Quote 0
              • bmeeksB
                bmeeks @NogBadTheBad
                last edited by bmeeks

                @NogBadTheBad said in How to whitelist Anydesk (Remote Access Software) in snort?:

                @bmeeks is the filtering option broken ?

                Screenshot 2020-10-22 at 20.44.02.png

                It's not supposed to be ... 😊, but I have not checked it lately. I will need to test it.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @NogBadTheBad
                  last edited by

                  @NogBadTheBad:
                  I just tested the "Disabled Rules" filter on my firewall and it worked (in Snort).

                  NogBadTheBadN 1 Reply Last reply Reply Quote 1
                  • N
                    noor92 @bmeeks
                    last edited by

                    @bmeeks Thanks for your reply, the answer was short and I ve just got it from another fellow member here, I just need to suppress the alert, please correct me if I am wrong.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      That must be :

                      5fac6f83-d49a-4e78-bb55-9a075c021362-image.png

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @bmeeks
                        last edited by NogBadTheBad

                        @bmeeks said in How to whitelist Anydesk (Remote Access Software) in snort?:

                        @NogBadTheBad:
                        I just tested the "Disabled Rules" filter on my firewall and it worked (in Snort).

                        Should it not also filter disabled by user rather than disabled by default?

                        As a test I disabled 1:49361 and it doesn't show:-

                        Screenshot 2020-10-23 at 09.11.43.png

                        Screenshot 2020-10-23 at 09.12.06.png

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @NogBadTheBad
                          last edited by

                          @NogBadTheBad said in How to whitelist Anydesk (Remote Access Software) in snort?:

                          @bmeeks said in How to whitelist Anydesk (Remote Access Software) in snort?:

                          @NogBadTheBad:
                          I just tested the "Disabled Rules" filter on my firewall and it worked (in Snort).

                          Should it not also filter disabled by user rather than disabled by default?

                          As a test I disabled 1:49361 and it doesn't show:-

                          Screenshot 2020-10-23 at 09.11.43.png

                          Screenshot 2020-10-23 at 09.12.06.png

                          I need to check the code to see what it's doing. I know it catches rules disabled by SID MGMT configurations, because that's how I have a number of the HTTP_INSPECT rules disabled.

                          1 Reply Last reply Reply Quote 1
                          • bmeeksB
                            bmeeks @noor92
                            last edited by

                            @noor92 said in How to whitelist Anydesk (Remote Access Software) in snort?:

                            @bmeeks Thanks for your reply, the answer was short and I ve just got it from another fellow member here, I just need to suppress the alert, please correct me if I am wrong.

                            I would instead suggest disabling those rules. They are highly prone to false positives. Suppressing them still loads them into memory, and CPU cycles are wasted evaluating traffic against them. They just don't generate alerts when suppressed. Disabling them results in them never even being loaded up, so RAM and CPU cycles are conserved for more important rules.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.