Snort automatic blocking for specified rules only?

fearnothing · Jun 26, 2014, 5:59 AM

Is there a way to fine tune the automatic blocking? There are some things which I would like to receive alerts for but not block by default.

BBcan177 · Jun 26, 2014, 6:10 AM

You can use pass lists to not alert. You could disable a rule and add a custom rule to meet your needs. But you can't have a rule that just alerts as all the rules are designed to block unfortunately.

What are you trying to do? There may be other solutions?

fearnothing · Jun 26, 2014, 6:57 AM

Enable automatic blocking but not block the hosts that are triggering the TCP/UDP Filtered Port Scan events - it gets set off by IRC servers and some other communication apps I use.

BBcan177 · Jun 26, 2014, 7:00 AM

Take a look at the port scan Pre-processor. There are settings there to not alert on certain scanners and also has some other tuning settings.

bmeeks · Jun 26, 2014, 6:45 PM

@BBcan177:

Take a look at the port scan Pre-processor. There are settings there to not alert on certain scanners and also has some other tuning settings.

BBcan177 is correct. There are a number of tunable parameters for the portscan preprocessor. It's on the PREPROCESSORS tab for the interface. One thing you can do is a create an Alias containing hosts that should never trigger a portscan alert. That is the "Ignore Scanners" box. Create the alias with those hosts under Firewall…Aliases, then come to the PREPROCESSORS tab and enter the alias name in the "Ignore Scanners" box.

Bill