pass list

luisenrique

I have trouble with snort v 4.1.6 on pfsense 2.6.0 i'm using pass list and added an ip to avoid beig blocked but it no has any effect, even deactivate the rule and become blocked, my IPS Mode is Legasy , i has been used snort and pfsense many years and it never happend to me, my boos told to me to deactivate but recentily we have a security incident, and i dont want to deactivate snort over any circunstances.

SteveITS

@luisenrique Did you restart Snort on that interface after changing the pass list?

luisenrique

@steveits yes i restart snort status on interface tab.

bmeeks

If you notice a newly added Pass List entry not working (and you have assigned the pass list on the INTERFACE SETTINGS tab and restarted Snort after the change), then you likely have a duplicate Snort process running on the interface.

To see if this is the case, execute this command from a shell prompt (either directly on the firewall's console or via SSH):

ps -ax | grep snort

You should see only a single Snort instance per configured interface. If you see a duplicate line, then you have two Snort instances running on the same interface. That means one of the instances is now a zombie and will not respond to changes you make in the GUI interface. You will need to kill the duplicate process. The easiest way to do this is to shutdown all Snort processes using the GUI controls. Go to the INTERFACES tab in Snort and stop all Snort instances.

Now return to the shell prompt and execute the above command again. If you see any still running Snort processes, note the Process ID (PID) and then kill it using this command:

kill -9 <pid>

where <pid> is the Process ID of the running Snort process.

Now return to the GUI and restart Snort on the INTERFACES tab.

luisenrique

@bmeeks
thanks! thats was my suspected afther some research, i did that, even with block ofender off it continued blocking. I will wait for out working time to make a full restart of my pfsense box

bmeeks

@luisenrique said in pass list:

@bmeeks
thanks! thats was my suspected afther some research, i did that, even with block ofender off it continued blocking. I will wait for out working time to make a full restart of my pfsense box

You will also need to manually remove the blocked IP from the BLOCKED HOSTS tab using the buttons there. Simply adding and IP to a Pass List will not remove any previous or existing blocks. Legacy Mode Blocking works by sending an IP address to be blocked to the pfSense firewall engine. Once the IP is sent over and blocked, Snort does nothing further with that IP address. So, that means stopping Snort or adding the IP to a Pass List will not remove the block. Only clearing the IP from the pf firewall engine's snort2c table will remove the block.

luisenrique

@bmeeks said in pass list:

u will also need to manually remove the blocked IP from the BLOCKED HOSTS tab using the buttons there. Simply adding and IP to a Pass List will not remove any previous or existing blocks. Legacy Mode Blocking works by sending an IP address to be blocked to the pfSense firewall engine. Once the IP is sent over and blocked, Snort does nothing further with that IP address. So, that means stopping Snort or adding the IP to a Pass List will not remove the block. Only clearing the IP from the pf firewall engine's snort2c table will remove the bloc

thanks again! happy 2023!