Snort/Suricata and web browsing



  • Hello,

    I have a query regarding whether something is doable within a pfsense setup with the snort/suricata service installed

    Basically we have a few pfsense boxes each with snort installed on (and suricata on recently updated ones) which works great however uses are regularly having difficulty browsing websites due to snort/suricata blocking traffic to the destination IP.

    Is there any way we can make it so the block list in snort is ignored for web browsing only? I had the idea of creating an alias with ports 80 and 443 then adding that to the 'pass list' in the snort settings but it seems I can only do this with host ip addresses and not specific ports

    Any ideas/advice as to how i can either bypass snort for web browsing or add exception rules for ports 80 and 443 i would greatly appreciate it



  • @cpalmer:

    Hello,

    I have a query regarding whether something is doable within a pfsense setup with the snort/suricata service installed

    Basically we have a few pfsense boxes each with snort installed on (and suricata on recently updated ones) which works great however uses are regularly having difficulty browsing websites due to snort/suricata blocking traffic to the destination IP.

    Is there any way we can make it so the block list in snort is ignored for web browsing only? I had the idea of creating an alias with ports 80 and 443 then adding that to the 'pass list' in the snort settings but it seems I can only do this with host ip addresses and not specific ports

    Any ideas/advice as to how i can either bypass snort for web browsing or add exception rules for ports 80 and 443 i would greatly appreciate it

    No, there is no easy way to "not block" based on ports.  You could, perhaps, rewrite a bunch of the rules by manually editing the destination ports.  But you would find that a lot of work.

    I should point out that what you are considering is a very bad idea!  The majority of malicious stuff is going to make its way into your network via web users.  Having Snort essentially ignore that traffic is not the best security.  You should instead spend a little time fine-tuning Snort and Suricata by either selectively disabling the rules that are known false positives on your network, or creating Suppress List entries for them.

    There is a very good thread in the Packages sub-forum with suggestions for a Suppress List that addresses the most common known false positives.  Here is the link:  https://forum.pfsense.org/index.php?topic=56267.msg300473#msg300473

    Bill