Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Exclude addresses from being checked by IPS? (Anyone know a way to exclude specific IP addresses from being checked by IPS?)
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
I have a specific IP address that gets blocked by Intrusion Prevention, they are in the Russian Business Network. I went into the file used.rules in sub-directory Snort and deleted the networks in which the address is located. Then I restarted the firewall computer completely. But this did not help, the IP address is still get booked by RBN rule. Now I had set it to only Log under IPS RBN but I'd like to also be able to set Drop, on all but a few selected IP addresses. What I'd really like I guess would be some sort of whitelist for IPS.

Anyone know a way to exclude specific IP addresses from being checked by IPS?
  •  
tomislav.parcina

Messages: 39
Karma: -2
Send a private message to this user
perbauer wrote on Wed, 06 October 2010 11:11
I have a specific IP address that gets blocked by Intrusion Prevention, they are in the Russian Business Network. I went into the file used.rules in sub-directory Snort and deleted the networks in which the address is located. Then I restarted the firewall computer completely. But this did not help, the IP address is still get booked by RBN rule. Now I had set it to only Log under IPS RBN but I'd like to also be able to set Drop, on all but a few selected IP addresses. What I'd really like I guess would be some sort of whitelist for IPS.

Anyone know a way to exclude specific IP addresses from being checked by IPS?


I have the same problem. I would like to whitelist some IP ranges so that they are not blocked by IPS.

Does Kerio Control support IP white listening?

--
Tomislav Parčina
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
This *may* suit your needs.

You can use the IPS-->Advanced feature to add an exception using Rule ID's from the security log. See http://kb.kerio.com/product/kerio-control/security/configuri ng-intrusion-prevention-system-1324.html and the section "Configuring ignored intrusions".

Intrusion Prevention is performed prior to Traffic Rules, as a result it is not possible to build a Traffic Rule that bypasses IPS for specific IP addresses generating inbound traffic.

Ken Snyder
  •  
tomislav.parcina

Messages: 39
Karma: -2
Send a private message to this user
ksnyder (KERIO) wrote on Mon, 10 August 2015 19:11
This *may* suit your needs.

You can use the IPS-->Advanced feature to add an exception using Rule ID's from the security log. See http://kb.kerio.com/product/kerio-control/security/configuri ng-intrusion-prevention-system-1324.html and the section "Configuring ignored intrusions".

Intrusion Prevention is performed prior to Traffic Rules, as a result it is not possible to build a Traffic Rule that bypasses IPS for specific IP addresses generating inbound traffic.


This isn't good solution because it disables the rule completely, and I would like that the rule is still active, just not in specific cases.

--
Tomislav Parčina
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
...which is why I said the alternative solution *may* work for you and also why I included the clarification at the end about the order in which IPS and Traffic Rules are evaluated.

Ken Snyder
  •  
ericbullock

Messages: 26
Karma: 1
Send a private message to this user
Just wondering if there had been any change to the way Control since the OP asked this question? I just now had to disable a rule to allow a conferencing app to work correctly. Control was dropping it because of a blank "User-Agent" header. I'd much prefer to leave the rule ON and allow an IP (or range of IP's) to bypass IPS.

[Updated on: Tue, 12 April 2016 00:12]

  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
See http://kb.kerio.com/1324 and the section, "Configuring Ignored Intrusions". If you can identify the Rule ID, you can add it to an ignore list.

[Updated on: Tue, 12 April 2016 00:22]


Ken Snyder
  •  
perbauer

Messages: 55
Karma: 0
Send a private message to this user
But "Configuring ignored intrusions" is just what we do not want to do. We want to exclude IP addresses, not rules!
  •  
ericbullock

Messages: 26
Karma: 1
Send a private message to this user
Exactly. My question was not how to ignore a rule but whether things have changed in Control since the OP asked this question.

But thank you for the reply Ken. Smile
  •  
ksnyder

Messages: 557
Karma: 36
Send a private message to this user
Nothing has changed. IPS is evaluated BEFORE traffic rules, so even configuring a traffic rule will not help with this. If you'd like to suggest changes or enhancements for any Kerio product, that process hasn't changed either. It's still: http://kb.kerio.com/1643

Ken Snyder
  •  
ericbullock

Messages: 26
Karma: 1
Send a private message to this user
OK, well it was worth asking. Feedback left on the Control feedback site.
Previous Topic: NEW RELEASE AVAILABLE: Kerio Control 9.0
Next Topic: problem with anti-spoofing feature
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed May 24 10:05:51 CEST 2017

Total time taken to generate the page: 0.01149 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.