@vidorado said in Snort ignoring passlist:
@bmeeks said in Snort ignoring passlist:
then restart Snort on the affected interface.
In my case this was the problem. I had updated the passlist and it was already assigned to the interface, even the IP list showing with "View List" button next to the dropdown was ok. But it keeped blocking the new IPs added to the passlist until I restarted the snort interface.
Remember that the Snort package consists of two distinct parts. There is an underlying binary executable that runs as a service, and there is the PHP-driven GUI that generates the configuration files needed by the binary.
When you make changes to Snort's configuration, those changes are written to one of the few text configuration files read by the binary. But the binary only reads those files once during startup. So any changes require restarting the binary so it can "see" the new configuration. The only exception to this is loading new rules. The binary can be signaled via SIGHUP to reload its rules file, but that is all. Other changes require a restart.
When you "view a Pass List" in the GUI, all it is doing is reading the content of the Pass List text file and displaying it for you. If the text file has been rewritten, but the binary not restarted, then what the binary is using will not match what the GUI is showing.