Snort automatic blocking for specified rules only?



  • Is there a way to fine tune the automatic blocking? There are some things which I would like to receive alerts for but not block by default.


  • Moderator

    You can use pass lists to not alert. You could disable a rule and add a custom rule to meet your needs. But you can't have a rule that just alerts as all the rules are designed to block unfortunately.

    What are you trying to do? There may be other solutions?



  • Enable automatic blocking but not block the hosts that are triggering the TCP/UDP Filtered Port Scan events - it gets set off by IRC servers and some other communication apps I use.


  • Moderator

    Take a look at the port scan Pre-processor. There are settings there to not alert on certain scanners and also has some other tuning settings.



  • @BBcan177:

    Take a look at the port scan Pre-processor. There are settings there to not alert on certain scanners and also has some other tuning settings.

    BBcan177 is correct.  There are a number of tunable parameters for the portscan preprocessor.  It's on the PREPROCESSORS tab for the interface.  One thing you can do is a create an Alias containing hosts that should never trigger a portscan alert.  That is the "Ignore Scanners" box.  Create the alias with those hosts under Firewall…Aliases, then come to the PREPROCESSORS tab and enter the alias name in the "Ignore Scanners" box.

    Bill


Log in to reply