Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 10045 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a method for a specific program to bypass Snort filters?

Grammaton

I am a on a gigabit network however due to SNORT being single threaded the filtering reduces download speed from 980 Mbit/s down to 380 Mbit/s.  I don't mind the reduction for 99% of the programs we use.  However, I would like one program to obtain full bandwidth regardless of the user.

 

Thus, is there a rule that can be set to allow specific program (regardless of the user/pc) to bypass IDS filtering?

 

For example:  I have 5 PC's all 5 Pc's have STEAM installed.  I would like to setup a rule so that STEAM bypasses all filters and is allowed full reign of the bandwidth. 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi

     

    1.

    Create a rule above your Internet access rule that have a lan to wan and use the STEAM DNS name or /ip spann  for destination.  I found this in on the web

    https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711 In the end of the article you can see the DNS names used our you can check your firewall logs for the DNS names as well.

    remeber to match the DNS name use wildcard name. Example *.steampowered.com For this you need to be on version 17 of SFOS.

    remove all protection for the rule but remeber to use MASQ.

    This will make the traffic to steam NOT use the IPS, but all other traffic will still get processed by your rule below.

     

    If that doesn't gets you all the way even if the traffic to steam is processed by the STEAM rule the you can try step 2 as well. 

     

    2.

    The IPS engine is used for Application classification. Thats why even if you don't have a IPS policy in place the traffic will still get processed by the IPS engine.

    You can turn off this function thru the CLI. So if you don't use the reports for applications and don't mind that the dashboard will show Unclassified application in the GUI then, 

     

    1. access the system thru CLI

    2. select option 4 

    3.type: "system application_classification off" without the "

    4. see if the thruput gets improved.

     

    The IPS will still work this is just for Application classification.

    //Rickard Nordahl

Reply
  • 0

    Hi

     

    1.

    Create a rule above your Internet access rule that have a lan to wan and use the STEAM DNS name or /ip spann  for destination.  I found this in on the web

    https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711 In the end of the article you can see the DNS names used our you can check your firewall logs for the DNS names as well.

    remeber to match the DNS name use wildcard name. Example *.steampowered.com For this you need to be on version 17 of SFOS.

    remove all protection for the rule but remeber to use MASQ.

    This will make the traffic to steam NOT use the IPS, but all other traffic will still get processed by your rule below.

     

    If that doesn't gets you all the way even if the traffic to steam is processed by the STEAM rule the you can try step 2 as well. 

     

    2.

    The IPS engine is used for Application classification. Thats why even if you don't have a IPS policy in place the traffic will still get processed by the IPS engine.

    You can turn off this function thru the CLI. So if you don't use the reports for applications and don't mind that the dashboard will show Unclassified application in the GUI then, 

     

    1. access the system thru CLI

    2. select option 4 

    3.type: "system application_classification off" without the "

    4. see if the thruput gets improved.

     

    The IPS will still work this is just for Application classification.

    //Rickard Nordahl

Children
No Data