Best Way to Bypass Snort for Specific Servers?



  • Good Morning,

    I have a server on a dedicated VLAN that I would like to have directly pass thru the firewall without being scanned by Snort.  This server connects to two dedicated hosts on Port 443 & uses a fair amount of bandwidth causing processor spikes on the firewall.  I have isolated that the processor spikes happen only when Snort is enabled & this server is using heavy bandwidth.

    I have tried adding the IP Address of the server to the Snort Pass List as well as adding the FQDN of the hosts the server connects to.  Unfortunately, this did not result in reduced processor load when bandwidth utilization is high.

    I also tried adding a WAN rule with the Source IP address of the server & opened up Port 443 to any destination, but this also did not result in reduced processor load when this server is using heavy bandwidth & Snort is enabled.

    Is it possible to exclude this server from Snort?  Any thoughts on the best way to go about this?

    Best-

    Darren



  • You can't exclude the server's traffic from being scanned if that traffic comes through the pfSense firewall where Snort is running.  You can make sure that Snort does not "block" that server if an alert is triggered by traffic to or from that box.  To do this you can add the server's IP to an Alias (under Firewall > Aliases), then go to the PASS LIST tab and create a custom Pass List and add the alias you created to the Pass List (down at the bottom in the ADDRESS box).  Save the new Pass List.  Now go to the interface on the INTERFACE SETTINGS tab where you want to exclude the server (WAN most likely, but could be LAN) and double-click to edit the interface.  Scroll down to the bottom of the page and select the newly created Pass List in the PASS LIST drop-down.  Save the change and restart Snort on the interface.

    Another option, if the server has a static IP address, is to simply create a "track by IP" Suppression Rule on the SUPPRESS tab.  If you use the Suppress option, then no alert will ever be generated by traffic from that server (but the traffic will still be inspected; alerts will just be muted or suppressed).

    Bill



  • Create an extra DMZ and place the server inside of this then. Set up snort scanning on your LAN port.
    So the Server will have Internet connection and the rest of the LAN will be scanned by snort.
    WAN - NAT and pf
    DMZ - Snort is not scanning
    LAN - snort is scanning


Log in to reply