Snort, like any IDS, is bound to detect false positives, particularly right after its been installed. This is especially true for very ambiguous alerts. Take the following for instance:
SHELLCODE x86 inc ebx NOOP
This alert is generated by an executable being downloaded over the network. Of course, an executable program can be an equally legitimate or malicious thing. An alert generated every time a .exe is pulled from the internet is unfavorable, but disabling the rule altogether might result in an administrator missing a security risk. Wouldn’t it be great it we could ignore certain networks from Snort altogether? That way, we can add the IP ranges of legitimate organizations where we expect such downloads to come from, (Microsoft, etc) and only be alerted when the download source comes from an untrusted location.
Let’s begin by opening snort.conf, Snort’s configuration file. Search for the line which says:
Begin by uncommenting it. Next, add in the location of the file which will define our whitelisted domains. What you call it isn’t important. The line in my Snort configuration therefore looks like the following:
config bpf_file: /etc/snort/ignore.bpf
Save your snort.conf and exit the editor. Next, create the file you just specified. In it, it is simple to whitelist individual hosts or networks in CIDR notation. Here’s some examples below. The ! before a line indicates the network is to be ignored. You can get granular with options like src, dst, port and more. Notice that an ‘and’ must be appended onto the end of each line if there are more after it!
# Business partner IP Ranges
!(net 18.104.22.168/17) and
!(net 22.214.171.124/17) and
!(host 126.96.36.199) and
!(src net 10.10.1.1/24 && dst net 10.10.10.210 && dst port 80)