2

I need to allow certain traffic through which is being blocked by snort eg ICMP from a specific address. How can I do this?

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
keyoke
  • 277
  • 1
  • 4
  • 12

2 Answers2

4

There are primarily two ways to do this

  • suppress rule -- Disables alerting on a specific SID based on either source or destination
  • pass rule -- Allow traffic matching the rule to be passed without checking against any other rules

Pass Rules
Useful for ignoring traffic from hosts that are known to generate lots of alerts, but are also known to be trusted. Vulnerability assessment tools being a big one. They are written in the form of any other alert rule, except that the "pass" statement is used instead of "alert" If we wanted to allow all traffic from one of these we could use: 

pass ip 10.10.8.200/32 any <> any any (msg: "Ignore all Network Health monitoring"; sid: 1000013;)

This is a very simple rule that will ignore any IP traffic with a source address of '10.10.8.200' with any source port going to any address on any destination port.

Suppress Rules
These are primarily used for filtering out false positives. They require the admin specify more information about the rule, e.g. gen_id and sig_id, as well as the conditions under which to ignore. Let's say we had a system that regularly performs gobs of reverse DNS lookups, and as such generates a lot of NXDOMAIN queries. This can often indicate network reconnaissance, but in this case it is expected behavior. We could ignore it using:

suppress gen_id 1, sig_id 13948, track by_dst, ip 10.10.8.240

For standard "alert" rules the gen_id is always 1, the SID we want to ignore is 13948, and the host that's performing all of these lookups is '10.10.8.240'.

Specific Request
In the situation you're laying out you should be able to get away with something like:

pass icmp 10.10.8.200/32 any <> any any (msg: "Ignore all ICMP Traffic by Host"; sid: 1000087;)

Similar to the IP based rule above, this should ignore any ICMP traffic that comes from '10.10.8.200', no matter who the destination is.

Additional Resources

These rules can, of course, get more complicated, but you'll want to read some more documentation on the specifics. Your best bet is to just do a few google searches and chunk through them, but useful documentation that I've found is (in no particular order):

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
  • thanks, I have created some suppression rules, but Im not sure I understand - are the rule alerts just suppressed or are the rules ignored and the traffic allowed if matches the suppression details. – keyoke Apr 06 '11 at 14:59
  • @keyoke If you use a suppression rule then that signature is still checked against that packet, it just won't trigger an alert. If you use a pass, then that signature won't be checked on that traffic. – Scott Pack Apr 20 '11 at 13:39
0

Great info, what if I just want to suppress a single port?

I want to do something like

suppress gen_id 1, sig_id 1394, track by_dst, ip 10.182.196.135:925

with 925 being my internal port for smtp. Emails going through the smtp dump out a load of alerts I don't need to see.

Could that work with the port on the end?

quanta
  • 50,327
  • 19
  • 152
  • 213
MvcCmsJon
  • 109
  • 3
  • snort restarted with that syntax, now we will see if it works... – MvcCmsJon Jul 07 '11 at 02:07
  • It's a bit late now, and I don't know if you figured it out, but I would really recommend you actually ask this as a question. It doesn't really belong as an answer. – Scott Pack Apr 13 '12 at 01:45