Snort exception for VPN traffic?



  • We've been long time PFSense users, but only recently tried out SNORT. I was very implressed with it and horrified to see the number of apparent attacks on our network, but I've had to turn it off because the number of false alarms is too high and the IP blocking is distrupting our operations too much.

    We run a distributed development team with a lot of work being done remotely. This is mostly done via OpenVPN in "RoadWarrior" mode and if one of our users gets blocked, it can result in a lot of lost work. If we've got someone technical in the office, it's not too serious since the remote user can phone in and ask to be unblocked, but there have been several occasions when there was nobody on the LAN capable of clearing down the blocked list and all the technically competent users were away from the office on IP addresses that had got blocked!

    I trust the VPN to protect our systems - can we have a mechanism to introduce an exception on SNORT so that VPN traffic is allowed through even from otherwise blocked IP addresses?

    Thanks for all your efforts…

    Martin



  • I seem to answer this question by pm every other month by admins running large user bases through VPN.
    I have to try to make a user case study as a tutorial to help you guys out.

    What rules are giving you false positives ?

    Have you done these steps;

    1. modified the alert so that false positives are reduced.

    2. disabled the alert or preprocessor.

    3. added those friendly ips to the whitelist or your home-net ?

    "I trust the VPN to protect our systems - can we have a mechanism to introduce an exception on SNORT so that VPN traffic is allowed through even from otherwise blocked IP addresses?"

    If you talking about a firewall rule yes, I am looking into a way to do that through pf anchors. But please be able to help out testing it.

    Thanks for all your efforts…"

    Rob



  • Thanks for your input, Rob.

    Whitelisting is not really relevant when the remote user is logging in from a range of locations. Actually, it's not really meaningful even when they are coming in from a single location in many cases - our chief developer uses an internet connection with dynamic IP from one of the biggest ISPs in this country - I've had to whitelist their entire IP range and, in the process, told SNORT to ignore probably thirty percent or more of the UK internet users!

    I also spent a lot of time turning off rules - but there's a lot of them that trigger from time to time. I described them as "false positives" which may not be strictly true - I guess the point is that a lot of remote users coming into the network over VPNs are doing so from public ISPs and quite a lot of the attacks I'm seeing are probably genuine. We are a commercial organisation hosting public facing web sites behind this firewall and it's harmful to business to block incoming traffic unnecessarily.

    How does pfSense block traffic from IP addresses identified by SNORT? Does it generate hidden firewall rules to block the offending IP addresses? If that is the case, could we set it up so that the generated block rules were inserted at an identifiable point in the rule list? That way, I could simply insert exception rules above that point which would always override the internally generated blocks and, thus, permit specific protocols or destinations irrespective of the SNORT decisions.

    This would actually be better than putting in some sort of VPN exception - it would also allow me, for example, to add further exceptions to allow access to my web sites even while stopping port scans and attempts to bust into the RDP ports on my servers!

    Martin


Locked