Snort: Suppress Source Addresses



  • Hi,

    we use Snort as IPS for several official Address ranges on WAN. Now we need some addresses/ranges in our official ranges, which should not be blocked, regardless matched rules.
    E.g. Some costumers won't be protected by snort or we need this to implement a honey pot.

    With other words: If someone outside want to communicate to specified own IPs, snort must not block this.

    Is this practicable  within suppress list?



  • This is what a PASS LIST is for.  IP addresses on a PASS LIST are never blocked.  They will still generate alerts, but those alerts will not result in blocks.

    1.  Go create an Alias under Firewall > Aliases and put all the IP addresses you never want blocked in the alias.  You must use actual IP addresses.  FQDN aliases will not work!

    2.  Go to the PASS LIST tab and create a new list.  Leave all the checkboxes at their defaults.  In the red background alias field at the bottom of the page, begin typing the name of the alias you created in the step above.  It should auto-populate.  Select it and then save the changes.

    3.  Now go to the SNORT INTERFACES tab and edit the Snort interface where you need to use the new PASS LIST (I assume that would be your WAN).

    4.  Scroll down towards the bottom of the page and in the PASS LIST drop-down select the pass list you created and saved up above.  Save the interface changes.

    5.  Restart Snort on the interface and you are good to go.

    Bill



  • Hi Bill,

    ??little bit confused?? I thought that this list is only for source-addresses?
    But in my case I want define a "destination-exclusion-list".

    e.g.
    I have a external IP range: 1.2.3.0/24. In this range I want to use the IP 1.2.3.4 for a honey pod. All bad guys over the world are able to make a port scan, penetrate or make brute force only to this address and snort shouldn't ban this.



  • A PASS LIST works in either direction (source or destination).  I think I misunderstood your intent, though.  The PASS LIST would prevent the Honey Pot address from being blocked, but it may not prevent the other end of the conversation from being blocked.  For example, if IP 5.6.7.8 does a port scan to your honey pot IP, the PASS LIST would prevent the honey pot IP from being blocked, but if Snort was set to block "both" addresses in alerts, then the source of the port scan would still get blocked.  You might need to play with the "Block Which IP" setting on the INTERFACE SETTINGS tab in Snort.  You could set that to only block the DST IP.  This will impact other traffic inspection/blocking, though.  Setting it to BOTH is usually a better choice for security.

    Bill



  • Other settings in "Which IP to Block" than both is a bad option.

    My idea I must replace the variable $Home_Net. I hope I am able to exclude some addresses in alias like this?
    1.2.0.0/20
    !1.2.3.4/32

    is this possible?

    http://manual.snort.org/node16.html#SECTION00312000000000000000

    The following example list will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the exception of IPs 2.2.2.2 and 2.2.2.3.
        [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]]

    Or any other suggestions?
    Otherwise this will be a long alias



  • @Ruddimaster:

    My idea I must replace the variable $Home_Net. I hope I am able to exclude some addresses in alias like this?
    1.2.0.0/20
    !1.2.3.4/32

    is this possible?

    I think that should work.

    Bill



  • Hi,

    how can I exclude (!1.2.3.4) a single IP.

    -> Error message in snort variables: Only aliases are allowed.
    In variables I can't use an !
    [$HOME_NET,!snort_alias_exclude] doesn't work.

    To exclude only a single IP it is possible to define a range

    1.2.3.3-1.2.3.5
    but how should I handle this with a bunch of IPs?

    Dirk



  • At the meantime I have create an alias and add only a 1.2.3.0/24 to this list + unchecked all in my created pass list + add my alias to this list. Change "default" in snort interface to my created "pass list" and restart snort.
    But if I take a look in this "Home Net" list, I still see 1.2.0.0/20 and all my other local IP-Ranges…



  • The Snort GUI is not set up to work with a HOME_NET parameter such as you defined.  The HOME_NET variable contents are built dynamically each time a save is made to an interface or when Snort is manually started/restarted from the INTERFACES tab in Snort.

    There is a way to manually edit and lock the HOME_NET variable for an interface, but it would be really locked and you will have to re-apply the fix after each update of the Snort package (or when pfSense itself is updated, as that will uninstall and reinstall Snort).  The method requires editing the template file used to produce the snort.conf configuration file.  Another downside of this approach is that it will apply to every Snort instance on the firewall.  If you only have one, then no problem; but if you have multiple Snort interfaces each would get the same HOME_NET setting.

    Find this line in the file /usr/local/pkg/snort/snort_conf_template.inc – (it will be near the top)

    
    # Define Local Network #
    ipvar HOME_NET [{$home_net}]
    
    

    Remove the "{$home_net}" string and replace it with the actual IP addresses you want in HOME_NET.  Save the change.  Now go to the INTERFACES tab in Snort and start and restart the interface.  The new HOME_NET will show up in the snort.conf file.  You WILL NOT see the change in the GUI, though.

    Bill



  • Hi Bill,

    many thanks for your reply.

    in the case of file-hacking, I am also able to exclude some IPs? This would be easier to administrate.

    At this time I have only one Snort instance.
    how does this looks like?

    ipvar HOME_NET [{$home_net},!{Alias_snort_exclude}]
    

    Dirk



  • @Ruddimaster:

    Hi Bill,

    many thanks for your reply.

    in the case of file-hacking, I am also able to exclude some IPs? This would be easier to administrate.

    At this time I have only one Snort instance.
    how does this looks like?

    ipvar HOME_NET [{$home_net},!{Alias_snort_exclude}]
    

    Dirk

    You can't have the curly braces or the content within them.  Those are PHP-specific string variable delimiters.  Snort (the binary) does not understand anything in HOME_NET but numerical IP address information.  Something like this would be valid –

    
    ipvar HOME_NET [ 1.2.3.4/32, 10.0.0.1/24, !5.6.7.8/32 ]
    
    

    Bill



  • Hi Bill,

    many thanks…

    Dirk


Log in to reply