Snort whitelist IP's not working, what I my doing wrong?
-
Hey Bill,
my pleasure for the screenshots.
Yes, although I was showing the alerts tab, they are indeed in the Blocked tab….
They are also in the snort2c table.
Yes, I have noticed if an IP generates an alarm and is in the passlist, only the alarm will be created and the IP will NOT get blocked. But it seems on my system this is ONLY true for my home_net and external_net variables....
Weird no?
-
@lpallard:
Yes, I have noticed if an IP generates an alarm and is in the passlist, only the alarm will be created and the IP will NOT get blocked. But it seems on my system this is ONLY true for my home_net and external_net variables….
This sentence is a bit confusing for me. Are you saying that only IP addresses in your HOME_NET and EXTERNAL_NET variables are never blocked? That is a kind of contradiction since EXTERNAL_NET on Snort is generally all addresses not in HOME_NET when using the default setting.
The default parameters for a PASS LIST will include within it all locally-attached IP subnets as well as DNS servers, gateways, and the WAN IP address. These would never be blocked. The ADDRESS alias you can add on the PASS LIST edit screen is where you specify other IP addresses that will not be blocked. You can only specify actual IP addresses in that Alias. You cannot use any FQDN type alias.
To the best of my knowledge, this feature is working for all other users.
Bill
-
Bill, I have a question regarding "(portscan) TCP Portsweep" and "(portscan) TCP Filtered Portsweep"..
To be quite honest, when I enabled the preproc for the portsweep detection, I thought this would be useful in blocking the IP's purposely performing portsweeps on my public IP (I had in mind attack servers, etc) but what ended up happening is that most (80%+) of the sites I visit are getting blovked by snort because of portsweeps.
Most of these sites are well known sites (google IP's, my ISP's portal, cnn.com, some popular forums, etc)… I must say most of the alarms are from Google's e100 servers (173.194.0.0/16, 74.125.0.0/16, 216.58.0.0/16).
So I am wondering if these alarms are "normal" and should be ignored because they originate from well known/reliable sources, but on the other hand why would forums, search engines and other public sites perform portsweeps???
I hope you can shed some light on this issue.. for now I have kept the preproc enabled and when a site doesnt load (or stops loading) I login to pfsense and remove the blocked host from the block list (PITA)..
Thanks!
-
@lpallard:
Bill, I have a question regarding "(portscan) TCP Portsweep" and "(portscan) TCP Filtered Portsweep"..
To be quite honest, when I enabled the preproc for the portsweep detection, I thought this would be useful in blocking the IP's purposely performing portsweeps on my public IP (I had in mind attack servers, etc) but what ended up happening is that most (80%+) of the sites I visit are getting blovked by snort because of portsweeps.
Most of these sites are well known sites (google IP's, my ISP's portal, cnn.com, some popular forums, etc)… I must say most of the alarms are from Google's e100 servers (173.194.0.0/16, 74.125.0.0/16, 216.58.0.0/16).
So I am wondering if these alarms are "normal" and should be ignored because they originate from well known/reliable sources, but on the other hand why would forums, search engines and other public sites perform portsweeps???
I hope you can shed some light on this issue.. for now I have kept the preproc enabled and when a site doesnt load (or stops loading) I login to pfsense and remove the blocked host from the block list (PITA)..
Thanks!
I don't have a precise answer, but my personal observations over the last year indicate the portscan preprocessor in Snort has become overly sensitive and "false-positives" frequently. I've had to set mine on the WAN to the lowest sensitivity and add a number of known safe and frequently visited sites to an Alias and then assign that Alias to the "Ignore Scanners" parameter in the portscan preprocessor configuration.
Things that open a number of HTTP connections like hitting a busy web site with a bunch of ad server lookups, for example, seem to trigger portscan alerts.
Bill
-
I also observed that most (now I am even starting to think maybe ALL) sites are generating portscans but why, that remains a mystery to me.. What I ended up doing was to lower the preproc setting sensitivity to low on the snort interface, then allow a "running-in" period where I try to visit as many sites as I usually visit and let my systems contact whatever web services they need, then when an alert is generated I add it to an alias that I assigned to Snort's interfaces…
May not be the best but it works. All I need now is a real attack from one of those "legit and trusted" sites and snort wont pick it up..
Perfection doesnt exist I guess...
This page also helped me a lot:
http://manual.snort.org/node85.html
Thanks Bill for your help once again!
