Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using the same whitelist in pfB and Snort

    pfBlockerNG
    3
    8
    177
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pftdm007
      last edited by pftdm007

      Hello,

      I've been trying to find a way to use the same list of IP's in both pfB and snort, so I don't have to maintain two independent whitelists.

      One would think that it would be easy but I couldn't get it to work.

      Snort only allows system-wide aliases (Firewall > Aliases). It doesn't seem capable of retrieving IP's from an URL...

      Using "Alias Native" in pfB allows to use the list in a FW rule but doesn't allow to be used in Snort for the above mentioned reason... (URL)

      I thought creating a system wide alias with the IP's, then create a list in pfB (ipv4) and enter the alias name in the source but pfB wont let me do this.

      Short of treating these two packages as completely independent and maintain two identical whitelists, how can I make them use the same IP list?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @pftdm007
        last edited by

        @pftdm007 you’re saying Snort won’t let you pick a URL alias? I guess I hadn’t realized.

        Brainstorming, since it allows nested aliases can you create one that includes your existing alias?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • P
          pftdm007 @SteveITS
          last edited by

          @SteveITS

          If I understand you well you are suggesting to create an alias (Firewall > Alias) then add the pfB IP list in this alias, and then use this alias in Snort as passlist?

          FYI the list from pfB I want to use in Snort is called "pfB_pass_IP_v4"

          ca0a0192-7674-4a56-9030-45508f67a999-image.png

          I tried creating an alias and adding the pfB IP list in it using:

          Type: Hosts

          The alias(es): pfB_pass_IP_v4 cannot be nested because they are not of the same type.

          URL (IPs)

          A valid URL or alias must be provided. Could not fetch usable data from 'pfB_pass_IP_v4'.

          URL Table (IPs)

          A valid URL must be provided.
          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @pftdm007
            last edited by

            @pftdm007 pfB aliases are URLs, see Firewall/Aliases/URLs and plug that URL in to another URL alias.(?)

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            P 1 Reply Last reply Reply Quote 0
            • P
              pftdm007 @SteveITS
              last edited by pftdm007

              @SteveITS

              Could not fetch the URL 'https://127.0.0.1:468/pfblockerng/pfblockerng.php?pfb=pfB_pass_IP_v4'.

              Its looking more and more like a missing feature in pfsense! (minor one that is.....) :)

              Perhaps @BBcan177 would have a suggestion to link those two together?

              If there's no elegant way of doing this I would suggest to be able to use a system alias in pfB since what I'm trying to do is use the same list across multiple packages so a top-down approach makes more sense to me:

              System Alias
|
|---> pfBlocker ipv4 list
|---> Snort whitelist

              instead of

              |---> System alias------*--->
|                           |
|---< pfBlocker ipv4 list   |
      Snort whitelist<------|

*somehow managing to transform an URL alias into something Snort can digest...
              1 Reply Last reply Reply Quote 0
              • S
                smolka_J
                last edited by

                @pftdm007 said in Using the same whitelist in pfB and Snort:

                pfB_pass_IP_v4

                I believe all you should need to do is take your pfB alias name "pfB_pass_IP_v4" instead of the URL for it and just place that in Snort's Passlist tab by editing the current passlist thats being used, enter only the name of the alias in the "Assigned Alias" field as noted on https://docs.netgate.com/pfsense/en/latest/packages/snort/passlist.html. The pfB alias "pfB_pass_IP_v4" you created in pfBlockerNG is already an ALIAS itself, there's no need to make an entire duplicate of it nor the need to create a whole separate one on the system ALIAS tabs, that would only double the workload to obtain the same amount of info each cron/update. I do similar for my passlist on Suricata, one for IPs and one for domains, and works well as long as RAMDISK isn't being used otherwise it will fall out of sync after reboots until pfBlockerNG is reloaded and fill logs with residual alerts until it does. I prefer Suricata's means for creating passlists, it allows me to add an entire list of multiple ALIAS's to it rather than just a single ALIAS like Snort limits you to.

                P 1 Reply Last reply Reply Quote 0
                • P
                  pftdm007 @smolka_J
                  last edited by pftdm007

                  @smolka_J

                  I just tried to add the pfB aliases directly in Snort's pass list and saved.

                  de3778a1-5763-4c7f-bbf9-a238f4b308f7-image.png

                  I didnt see any errors anywhere (either in GUI or in the syslog).

                  However when I click "View List" in a snort interface for the pass list, I only get IP's from the checkboxes (Local networks, WAN, DNS, etc etc) and those under the alias "service_suppliers" (which is a simple system alias I use in FW rules) Nothing from the other aliases starting with "pfB_"...

                  I tried force updating its rules, didnt help.

                  Unless I am wrong, there are no tables for the Snort passlists... so impossible to see their content... (at least under "Diagnostics > tables")

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Rebel Alliance @pftdm007
                    last edited by

                    @pftdm007 Did you restart Snort?

                    The pass list is read in at startup. It’s not a pf table.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.