Block a high bandwidth host from snort using BPF rule
Sometimes, there comes a time when a high bandwidth host is taking up valuable precious resources on your server, and snort is struggling to keep up with the demand. This is a simple way to block snort from seeing / processing that traffic and save the resources for catching bad traffic from other hosts.
This also helps if you happen to have your IDS behind a firewall and your LAN traffic passes through that same interface
To do this simply create a file, named whatever you like (mine is /etc/snort/bpf.conf)
add: (changin the IP for the host you wish to ignore)
not host 192.168.0.3
Then change the snort initscript so that it is called with the -F flag to load the bpf file rules, in clarkconnect this is achieved by editing /etc/rc.d/init.d/snort and change the line near the end from
daemon snort -i $INTERFACE -D -c /etc/snort.conf
to:
daemon snort -i $INTERFACE -F /etc/snort/bpf.conf -D -c /etc/snort.conf
For additional rules check out the tcpdump man page for dropping other traffic before snort sees it. Note you can acheive something similar with bypass rules, however this method completely removes the traffic from the sensor and saves of cpu time...
Comments
3 comments postedI should add this is for Snort 2.4.3, the new version of Snort 2.8.0.1 allows you to add BPF rules from within /etc/sysconfig/snort, you can specifiy the line as above or point it to a file with all your extra config
Or if you want to block a subnet you can use the following:-
not net 192.168.1.0/24
Useful if you have snort listening on the same interface as your LAN traffic (i.e. standalone server)
I tried not net 192.168.1.0/24 but it hasn't blocked anything. Any other suggestions?
___________
Mathew Farney | Web Hosting
Post new comment