snort ignoring VIP adresses

batre

Hey guys,

got a question about snort, is there a way to ignore some of our Virtual IP´s so snort doesnt manage and generate alerts?

Blocking via floating rule doesnt work.

best regards

bmeeks

The package should be pulling in the VIPs automatically as part of the default pass list, but if for some reason that is not happening you can simply create a custom pass list for an interface.

1. Go to the PASS LISTS tab and click Add to create a new list.
2. Leave the default choices selected and then add your custom IP addresses or networks down at the bottom using the GUI controls (buttons) there. Save the new list. You can use the default provided name or type in your own name.
3. Go to the INTERFACE SETTINGS tab for the Snort interface you want to use this new Pass List and assign the list by choosing its name in the Pass List drop-down selector. Save the change.
4. Return to the INTERFACES tab and restart Snort on the interface where you just changed the Pass List setting.

And to clear the previous block, you will need to go to the BLOCKS tab and clear that VIP from the list.

batre

@bmeeks doesnt help, it still creates alerts and blocks the VIP adresses in my alias group

Blocking them or alerts from these addresses isnt the problem, i just want snort to ignore these vip adresses (dont need the alerts when nothing is open from these vip adresses)

bmeeks

@batre said in snort ignoring VIP adresses:

@bmeeks doesnt help, it still creates alerts and blocks the VIP adresses in my alias group

Blocking them or alerts from these addresses isnt the problem, i just want snort to ignore these vip adresses (dont need the alerts when nothing is open from these vip adresses)

You can suppress alerts for specific IP addresses. On the ALERTS tab hover over the icons shown with the SRC and DST IP addresses for an alert row. Clicking those icons will add the IP to a suppression list.

Sorry I misread your earlier post as not wanting the VIPs blocked. That is the most common complaint from IDS/IPS users, so my mind just immediately went there ...

Firewall rules cannot be used to prevent Snort alerts because the Snort instance is running between the NIC and the firewall engine. That means Snort sees all inbound traffic on the interface BEFORE the firewall does.

batre

@bmeeks it add the ip and alert to the supress list, but there are endless different alerts, so that doesnt work

something like that im looking for : suppress ip XXX.XXX.XXX.XXX

bmeeks

@batre said in snort ignoring VIP adresses:

@bmeeks it add the ip and alert to the supress list, but there are endless different alerts, so that doesnt work

something like that im looking for : suppress ip XXX.XXX.XXX.XXX

That mode of operation is not available. Suppression is a per-rule thing. You can suppress by source or destination IP, but only for a given GID:SID rule signature. So if your VIP is triggering many different rules, you will have to suppress it in each triggered rule.

Another option you can explore is creating a custom PASS rule that includes just that VIP (or VIP collection if it is several). PASS rules are evaluated first, and any traffic matching a PASS rule bypasses the rest of the rule signatures. So be careful if you choose to try a PASS rule. Make it too encompassing and you will completely neuter Snort.