• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Alert Pass List

pfSense Packages
2
9
1.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Cannondale
    last edited by Apr 9, 2023, 11:54 PM

    New to pfSense and currently running v2.6.

    I have been reviewing the Snort Alerts and have found several IPs that need to be added to the Pass List.
    The documentation on Pass List indicate that Pass Lists are lists of IP addresses that Snort should never block.
    The Snort Alerts page displays IP's in the Source and Destination columns.
    When adding IPs to the Pass List, is it the Source IPs that will be whitelisted and not the Destination IP?

    S 1 Reply Last reply Apr 10, 2023, 12:58 AM Reply Quote 0
    • S
      SteveITS Galactic Empire @Cannondale
      last edited by Apr 10, 2023, 12:58 AM

      @cannondale It depends, which do you trust/never want blocked? :)

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      • C
        Cannondale
        last edited by Apr 10, 2023, 1:09 AM

        I see a particular IP that belongs to my ISP in the Source and Destination Alert columns.
        I believe that the Source IP should be added to the Pass List.
        However, the same IP appears in the Destination column on other Alerts with the description:
        ET DROP Dshield Block Listed Source group 1

        This SID is blocked by Snort.

        Not clear how the Alert Pass List works.

        S 1 Reply Last reply Apr 10, 2023, 1:51 AM Reply Quote 0
        • S
          SteveITS Galactic Empire @Cannondale
          last edited by Apr 10, 2023, 1:51 AM

          @cannondale Sounds like you are running Snort on WAN. There, it is outside the firewall so will scan traffic that will be blocked.

          Is the iP your WAN IP? Seems like it has to be for you to see incoming traffic. With Snort on LAN you’ll see the IP of LAN devices.

          A pass list does not block IPs that show on the pass list.

          If you run Snort on WAN and pass your own IP, might as well turn off Snort.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          C 1 Reply Last reply Apr 10, 2023, 11:01 AM Reply Quote 0
          • C
            Cannondale @SteveITS
            last edited by Apr 10, 2023, 11:01 AM

            Thanks for the additional information steve! I currently have Snort configured to run on just the WAN interface, which is my ISP.

            Just wanted to clarify your comment "If you run Snort on WAN and pass your own IP, might as well turn off Snort".
            You mean Pass List my ISPs Source IP? Correct?

            S 1 Reply Last reply Apr 10, 2023, 1:54 PM Reply Quote 0
            • S
              SteveITS Galactic Empire @Cannondale
              last edited by Apr 10, 2023, 1:54 PM

              @cannondale Right, traffic to or from IPs on a pass list will not be blocked.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              C 1 Reply Last reply Apr 10, 2023, 3:45 PM Reply Quote 0
              • C
                Cannondale @SteveITS
                last edited by Apr 10, 2023, 3:45 PM

                Thanks for the clarification steve! Given that my Snork installation is new, I would like to review the Alerts and tune the Alerts that Snork has identified that should not be blocked. Is there a guide / video that can help someone new to Snort analyze the Alert log?

                S 1 Reply Last reply Apr 10, 2023, 4:37 PM Reply Quote 0
                • S
                  SteveITS Galactic Empire @Cannondale
                  last edited by Apr 10, 2023, 4:37 PM

                  @cannondale I am sure they are somewhere on the Internet but am not aware of any. But you can read through the pinned posts in https://forum.netgate.com/category/53/ids-ips, notably the Quick Setup thread, and any of bmeeks' posts.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  C 1 Reply Last reply Apr 10, 2023, 4:50 PM Reply Quote 1
                  • C
                    Cannondale @SteveITS
                    last edited by Apr 10, 2023, 4:50 PM

                    Thanks steve! I'll check them out!

                    1 Reply Last reply Reply Quote 0
                    1 out of 9
                    • First post
                      1/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.