I need to allow certain traffic through which is being blocked by snort eg ICMP from a specific address. How can I do this?
2 Answers
There are primarily two ways to do this
suppress
rule -- Disables alerting on a specific SID based on either source or destinationpass
rule -- Allow traffic matching the rule to be passed without checking against any other rules
Pass Rules
Useful for ignoring traffic from hosts that are known to generate lots of alerts, but are also known to be trusted. Vulnerability assessment tools being a big one. They are written in the form of any other alert rule, except that the "pass" statement is used instead of "alert" If we wanted to allow all traffic from one of these we could use:
pass ip 10.10.8.200/32 any <> any any (msg: "Ignore all Network Health monitoring"; sid: 1000013;)
This is a very simple rule that will ignore any IP traffic with a source address of '10.10.8.200' with any source port going to any address on any destination port.
Suppress Rules
These are primarily used for filtering out false positives. They require the admin specify more information about the rule, e.g. gen_id and sig_id, as well as the conditions under which to ignore. Let's say we had a system that regularly performs gobs of reverse DNS lookups, and as such generates a lot of NXDOMAIN queries. This can often indicate network reconnaissance, but in this case it is expected behavior. We could ignore it using:
suppress gen_id 1, sig_id 13948, track by_dst, ip 10.10.8.240
For standard "alert" rules the gen_id is always 1, the SID we want to ignore is 13948, and the host that's performing all of these lookups is '10.10.8.240'.
Specific Request
In the situation you're laying out you should be able to get away with something like:
pass icmp 10.10.8.200/32 any <> any any (msg: "Ignore all ICMP Traffic by Host"; sid: 1000087;)
Similar to the IP based rule above, this should ignore any ICMP traffic that comes from '10.10.8.200', no matter who the destination is.
Additional Resources
These rules can, of course, get more complicated, but you'll want to read some more documentation on the specifics. Your best bet is to just do a few google searches and chunk through them, but useful documentation that I've found is (in no particular order):
![](../../users/profiles/3356.webp)
- 14,717
- 10
- 51
- 83
-
thanks, I have created some suppression rules, but Im not sure I understand - are the rule alerts just suppressed or are the rules ignored and the traffic allowed if matches the suppression details. – keyoke Apr 06 '11 at 14:59
-
@keyoke If you use a suppression rule then that signature is still checked against that packet, it just won't trigger an alert. If you use a pass, then that signature won't be checked on that traffic. – Scott Pack Apr 20 '11 at 13:39
Great info, what if I just want to suppress a single port?
I want to do something like
suppress gen_id 1, sig_id 1394, track by_dst, ip 10.182.196.135:925
with 925 being my internal port for smtp. Emails going through the smtp dump out a load of alerts I don't need to see.
Could that work with the port on the end?
-
-
It's a bit late now, and I don't know if you figured it out, but I would really recommend you actually ask this as a question. It doesn't really belong as an answer. – Scott Pack Apr 13 '12 at 01:45