Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [snort] How to really whitelist an IP and test it ?

    Scheduled Pinned Locked Moved
    IDS/IPS
    snort pfsense ips
    2
    2
    654
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sebit
      last edited by

      I use PfSense with HAProxy and Snort on WAN interface in front on my production servers.

      But the database is outside and it gets snort-blocked a lot.

      I have added its IP to both IP Rep and External Net, restarted Snort preprocessor everytime but it still got blocked.

      I've added the IP to "Pass List" instead of External Net (and kept IP Rep) and I'm waiting to see if the IP gets blocked again.

      Do you have tips to test that the whitelist really works ? Theoretically I could forge a dangerous-looking request to get blocked, but I don't know how to.

      Do you think of something I've forgotten or misunderstood, and that would make the whitelist fail again ?

      Have you ever had issues with whitelisting before and how did you fix them ?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        If I understand your post correctly, you have devices on your internal networks (LAN) that communicate with a database server located elsewhere on the Internet (accessible via your WAN).

        If this true, then you need to simply add the IP address of the remote DB server to a Pass List by creating a list on the PASS LIST tab, accepting the default checked options, adding the IP address of the remote DB to the list using the controls at the bottom of the EDIT LIST screen, then save the new list. Now go to the INTERFACE SETTINGS tab in Snort for your WAN (since your are running Snort on that interface) and select the newly created Pass List in the drop-down selector there. Save that change and restart Snort on the interface.

        You do NOT need to be changing the HOME_NET nor EXTERNAL_NET variable settings. Changing those is almost never required. And changing them from the defaults without a full understanding of what they are for and how they work will result in a setup that will NOT trigger rules properly. The fact you altered them in an attempt to solve the problem you describe indicates you may not understand what those parameters are actually for. They define the networks to be protected (HOME_NET) and the networks that are assumed hostile (EXTERNAL_NET). The default setup puts every address/network not defined in HOME_NET in EXTERNAL_NET. Literally, in the PHP code, $EXTERNAL_NET is defined as !$HOME_NET (the leading '!' character indicates a logical NOT operation).

        1 Reply Last reply Reply Quote 1
        • First post
          Last post