Snort Redirect & CloudFlare



  • Hello.

    We have been running a range of testing using Snort and have 2 questions in regards to it:

    1. Is there any way to redirect blocked IP's to a web page (ever on the firewall or externally) which can tell the user that there IP is on the blacklist and how to go about contacting us to remove it. We do something similar to this on our CSF Linux software firewalls and its very useful for customers.

    2. We have a customer who does not want his traffic inspected by Snort, is there a way to set a rule so that if the destination IP meets the requirements that Snort ignores the rules and just whitelists any source traffic going to this destination IP?

    I hope someone can help with these questions.

    Thanks,

    Paul Hughes
    Senior Manager
    http://www.ukhost4u.co.uk/



  • 2:)  add IP of customer to Snort Passlist?!?  (add IP's to alias, add alias to passlist)



  • Hello.

    We already whitelist all our own local IP's in this location so that they don't get blocked.

    What I need to do is ignore the source location when its set to go to a set destination, i.e: suppress *, *, track by_dst, ip 188.64.188.200
    under the suppress list in Snort?

    Though the above rule looks correct its not working.

    Thanks,

    Paul Hughes
    Senior Manager
    http://www.ukhost4u.co.uk/



  • @ukhost4u:

    Hello.

    We have been running a range of testing using Snort and have 2 questions in regards to it:

    1. Is there any way to redirect blocked IP's to a web page (ever on the firewall or externally) which can tell the user that there IP is on the blacklist and how to go about contacting us to remove it. We do something similar to this on our CSF Linux software firewalls and its very useful for customers.

    2. We have a customer who does not want his traffic inspected by Snort, is there a way to set a rule so that if the destination IP meets the requirements that Snort ignores the rules and just whitelists any source traffic going to this destination IP?

    I hope someone can help with these questions.

    Thanks,

    Paul Hughes
    Senior Manager
    http://www.ukhost4u.co.uk/

    For #1, no, there is currently no mechanism for that in the Snort package.

    For #2, I think you can accomplish what you want using the IP REPUTATION preprocessor.  Create a whitelist containing that customer's IP or IP range.  Assign that whitelist to the IP REP preprocessor for the interface using the IP REP tab for that interface.  Set the options on that page so the whitelist has priority.  IP addresses in a whitelist are NOT inspected by Snort other than the initial quick test to see if the IP is in the whitelist range.  Once that determination is made, the package bypasses the remainder of the Snort inspection engine.

    Go read up on the IP REPUTATION preprocess in the Snort VRT online manual here: http://manual.snort.org/node17.html#SECTION003219000000000000000

    Bill


Log in to reply