SNORT Block My Internal Server



  • Hi guys.
    Currently snort is blocking my access ubuntu repositories, so I can not update my server.
    Remove the rules do not think it's a good option. Therefore I would like to add the ip address of my local server to a whitelist, so that it passes over snort and do not crash.

    Hope you can help me.
    Thanks in advance.

    Regards.



  • @dascencio:

    Hi guys.
    Currently snort is blocking my access ubuntu repositories, so I can not update my server.
    Remove the rules do not think it's a good option. Therefore I would like to add the ip address of my local server to a whitelist, so that it passes over snort and do not crash.

    Hope you can help me.
    Thanks in advance.

    Regards.

    If the Ubuntu server is on a local network directly attached to a firewall interface (meaning the net block containing the server is within a net block defined on one of the firewall interface), then the Ubuntu server should be in the default PASS LIST (the "do not block these IPs list").  What is getting blocked could just be the remote end of the traffic stream.  If that is the case, simply adding a Suppress List entry for the triggered rule might be most appropriate.

    However, if the Ubuntu server is indeed in a net block that is not directly defined on a firewall interface, then you will need to do the following:

    1.  Create an Alias under Firewall > Aliases to define either just the Ubuntu host or the entire net block it resides in.

    2.  Go to Services > Snort and click the PASS LIST tab.

    3.  Click the plus (+) icon to create a new Pass List entry.

    4.  In the dialog that opens, give the list a descriptive name and then adjust the checkboxes as desired.  Leaving them at the defaults should be OK.

    5.  Now the key part – at the bottom in the red background ADDRESS box, type the name of the Alias you created in step #1.

    6.  Save the new list.

    7.  Now click the INTERFACES tab in Snort and double-click the interface where you wish to use the new list (or click the edit icon).

    8.  Near the bottom of the INTERFACE SETTINGS tab there is a drop-down list control for the PASS LIST.  Select the Pass List you created in steps #3 - #6.  Save the change.

    9.  And finally -- and most importantly -- restart Snort on the changed interface.

    Bill