Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Blocking /w Rule Force Disabled

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      S_Erickson
      last edited by

      Running PFSense 2.3.2-RELEASE-p1 (amd64)

      I have snort working in IDS mode, and have set up the IP Rep preproc, using the emerging threats blacklist and an empty whitelist.
      I have added several IP's to the whitelist that I have created but when any of them attempt to communicate it blocks them, saying they are whitelisted.  I have tried setting the whitelist to unblack as well as trust, and both times it does the same thing, blocking the packet saying that it is whitelisted.  The specific rule, 136:2,  has been disabled in the in the interface configuration, and even shows up in the alerts as force disabled but it blocks the IP anyways. If the ip is not in the whitelist it lets it through fine, which seems a little absurd to me. So I have suppressed that rule in addition to disabling it and that seems to work.  But this should not be operating like this unless I am (probably) missing something. I have stopped and restarted the service after every setting change, after adding the IP to the whitelist, and after disabling the rule. Every time snort starts up fine with no errors. Anyone have any ideas about what exactly I'm doing wrong here?

      Untitled.jpg
      Untitled.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • S Offline
        S_Erickson
        last edited by

        Some additional testing results:

        With the whitelist rule disabled and suppressed the functionality seems to work for other rules. For example there was an alert for an imap error but because the mail server was added to the whitelist it did not block it. To test it I added the IP for my home system to the whitelist and ran a portscan on the firewall, again an alert was generated but the address was not blocked. Meanwhile if I removed the 136:2 rule from the suppress list, leaving it disabled and restarting snort to refresh the list in memory, any attempt to connect to, or scan the firewall immediately results in my home system being blocked because it is in the whitelist.

        One night this week I am going to remove snort entirely even and reinstall it to see if it makes any difference. If anyone has any other suggestions please feel free to let me know.

        1 Reply Last reply Reply Quote 0
        • A Offline
          armandelli
          last edited by

          Hey! Did you manage to resolve this issue? Same thing is happening to me as well! Tks a lot!

          1 Reply Last reply Reply Quote 0
          • S Offline
            S_Erickson
            last edited by

            Hey

            Sorry for the (very) late reply, stopped checking the thread. I have not resolved the issue, it still works in this counter intuitive manner. As of right now I am just letting it work with the rules suppressed and disabled. We have been working on moving to Suricata inline as a replacement, but haven't moved it from the testing stage yet. I've actually been away from the office for some time now and have to catch up on suricata dev. They were having issues with the inline mode and vlan tags. Hopefully that has been resolved.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.