Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 10045 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a method for a specific program to bypass Snort filters?

Grammaton

I am a on a gigabit network however due to SNORT being single threaded the filtering reduces download speed from 980 Mbit/s down to 380 Mbit/s.  I don't mind the reduction for 99% of the programs we use.  However, I would like one program to obtain full bandwidth regardless of the user.

 

Thus, is there a rule that can be set to allow specific program (regardless of the user/pc) to bypass IDS filtering?

 

For example:  I have 5 PC's all 5 Pc's have STEAM installed.  I would like to setup a rule so that STEAM bypasses all filters and is allowed full reign of the bandwidth. 

 



This thread was automatically locked due to age.
  • 0

    Hi,

    you can disable IPS in the IPS tab and then further in the DOS protect tab.

     

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi,

    you can disable IPS in the IPS tab and then further in the DOS protect tab.

     

    Ian

     

     

    Well of course, that is the simplest answer but it's not what I am looking for since this would leave my network exposed.  I am not looking to leave my network w/o IPS.  I am just wondering if I can keep the IPS for everything else except let say STEAM.  

     

    I know that the appliance does deep packet inspection and I know that it can tag a stream that's STEAM so the question is:  Can just STEAM stream be allowed to bypass IPS regardless of what internal IP calls it?

  • 0 in reply to Grammaton

    Hi,

     at this stage I don't believe this away using the GUI, possibly in the CLI, you will need one of the wizkids for that.

    You can tune the IPS so that it is not that sensitive, I have some of the DOS protect enabled. When I get a decent speed internet depends on who you listen too either mid next year or by 2020 I will have to worry about the IPS performance. Only on very rare occasions do I get issues with IPS eg the speed gets to 5.1 and a only one user is downloading a large file

    Somewhere there is a box to tick for streaming audio and video not to be scanned.

    Ian

  • 0 in reply to rfcat_vk

    Thanks yeah, we have FIOS gigabit and they are actually true to their word.  We have anywhere between 960 to 980 when piping from an NNTP test, so yeah the pipe is there and it's working.  However once I get IPS on full, everything on I get 340, with selective on (40% disabled) I get 380 so not much.  It's running on bare hardware with intel gigabit pro quad network card on an I5 3.6Ghz CPU with 8gb of ram.    The test was on just one user so no other workload.  If I multi thread the download I can max the download pipe but applications like let say STEAM don't do that. 

  • 0 in reply to Grammaton

    Hi,

    check the IPS gui tabs and see which is the offending IPS function, you can increase the packet count. Hopefully in the next release v17.1.x there will be a in improved and refined IPS.

    Otherwise you need to wait for a wizkid or mod to assist with the tuning.

    Ian

  • 0

    Hi

     

    1.

    Create a rule above your Internet access rule that have a lan to wan and use the STEAM DNS name or /ip spann  for destination.  I found this in on the web

    https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711 In the end of the article you can see the DNS names used our you can check your firewall logs for the DNS names as well.

    remeber to match the DNS name use wildcard name. Example *.steampowered.com For this you need to be on version 17 of SFOS.

    remove all protection for the rule but remeber to use MASQ.

    This will make the traffic to steam NOT use the IPS, but all other traffic will still get processed by your rule below.

     

    If that doesn't gets you all the way even if the traffic to steam is processed by the STEAM rule the you can try step 2 as well. 

     

    2.

    The IPS engine is used for Application classification. Thats why even if you don't have a IPS policy in place the traffic will still get processed by the IPS engine.

    You can turn off this function thru the CLI. So if you don't use the reports for applications and don't mind that the dashboard will show Unclassified application in the GUI then, 

     

    1. access the system thru CLI

    2. select option 4 

    3.type: "system application_classification off" without the "

    4. see if the thruput gets improved.

     

    The IPS will still work this is just for Application classification.

    //Rickard Nordahl