Snort - whitelisting a domain?



  • I would like to block .exe from being downloaded on our corporate network.

    ET POLICY PE EXE or DLL Windows file download HTTP (1:2018959) seems to be the right snort rule to do this.

    Unfortunately I get a lot of false positives from Windows Update downloads, which I of course do not want to block. Is there a way to suppress all these false positives based on a reverse dns lookup for the IP (i.e. suppress all alerts for *.microsoft.com)?

    I can't use a squid proxy because the pfsense box is also running limiters and the two don't work together.



  • This post https://forum.pfsense.org/index.php?topic=87247.msg479068#msg479068 lists most of the domain names involved with MS updates.
    This post explains you cant whitelist a domain in snort https://forum.pfsense.org/index.php?topic=88914.msg491573#msg491573

    Possible work arounds.
    If you have WSUS the windows update server that downloads their updates and then push them to the workstations saving MS bandwidth, perhaps you could exclude the snort check during a certain period of time?

    If you dont have WSUS, and the workstations download the updates direct, perhaps having those updates carried out at a certain time of day and then having snort disable itself or the rules in question might also be an option.

    You might be able to find a cron job to disable snort or some of its rules for a period of time.

    Alternatively maybe you could create a route where all MS updates pass through and snort doesnt check that route?

    I havent tried any of the above, they are just some ideas which might help.


Log in to reply