Snort user whitelist for bypassing blocked IPs
-
Hello!
I want to block all remote control apps in my org. Moslty everyone is trying to use Anydesk, so mostly because of this. Finding no success in SquidGuard, went to using Snort with OpenAppID Detector. After configuring, blocking worked perfectly and Anydesk wasn't able to connect to its servers. But sometimes we need to use anydesk on specific computers. Adding Pass List of local IPs of needed computers is not working for bypassing blocked external IP list of Anydesk. Also Snort blocked access even for my VLAN networks that wasn't even configured to monitor.
I'm a begginer in this, so would like to ask for advice to configure Snort. I have 12 VLAN networks and there is a need to block remote access apps with an ability to allow using this apps for a list of specific local IPs, bypassing list of blocked external IPs.
By the way, while snort was active, alerts where generated only for LAN interfaces and never triggered for WAN. Is it supposed to work this way or am I doing something wrong?
PfSense CE 2.7.2
-
@MichaelRMO when you see the Ip address you want in the alert area click suppress for that IP it will no longer block that one in snort. Try to suppress that IP address. If it’s many look at the suppress list and manually add to it and or write a quick Java program to create a new list based on a text file you have. Hope that helps. I use appID with custom lists so I have a massive suppress list.
