cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
0
Comments
Meddane
VIP
VIP

How to exempt specific Servers from a Snort Rule to avoid false positive while keeping the protection ON for the rest of the network?

Sometimes False Positive with IPS can cause undesirable behavior that break down legitimate traffic.

The basic and straight forward solution is either to disable the Snort Rule that causes this False Positive or configure the Generate Events action.

Or you could create a specific ACP rule (Access Control Policy Rule) that matches the server traffic and apply custom IPS Policy with this Snort Rule disabled but this is like a BIG solution for a small problem. Imagine many servers and many false positives with many snort rules.

Even if this fixes the issue with your server but you turn OFF your protection for the rest of the network.

The best solution, is to use the Snort Pass Rule.

The idea is to duplicate the same Snort Rule, change the Rule Header to match your Server IP Address and change the SID to uniquely identify the new snort rule then change the Rule Action to "Pass".

1.PNG

 

6.PNG

 

After that you have two Snort Rule with the same Body wich is the power of the Rule to identify threat, exploit etc...with different SID 52068 and 1000000 and different Rule Header as shown below.

Pass Snort Rule with SID 1000000 to identify just the traffic destined or sourced to your server, 10.1.5.15 in this case, and if it matches the rule, it passes the traffic through SNORT without being inspected by the other snort rule with SID 52068 defined by talos to drop the packet.

3.PNG

 

Talos Snort Rule with SID 52068 to identify the rest of the traffic, and if it matches the rule the traffic is dropped.

2.PNG

 

topopo1.PNG

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: