Whitelists not working on latest snort (2.8.6 pkg v. 1.33) for 1.2.3-RC3

Thrae

After totally destroying my snort installation to install the newer version (2.8.6) from packages, I finally got the whitelist php GUI working, but the actual whitelist itself does not seem to be working. I have an IP in there I have to keep un-blocking (or simply turn off snort) that's in the whitelist yet still being blocked. There are a lot of IPs in there and NONE of them are being ignored, even after re-creating the whitelist. I properly set it to use "MyWhitelist" instead of default. What can I do to start troubleshooting this issue? Is there a way to see what whitelist snort is using while it's running?

Looking in the snort.conf for my particular adapter, the only line I see referencing the whitelist is this:

"output alert_pf: /usr/local/etc/snort/whitelist/MyWhitelist,snort2c"

And nothing in the rc.d snort.sh file.

snort: 2.8.6 pkg v. 1.27
pfSense: 1.2.3-RC3

Edit: Added that none of the IPs in the whitelist are being ignored, even after re-creating it.

Thrae

This problem (Whitelist being ignored) still occurs after a fresh installation of Snort Package v1.33 (2.8.6).

Additionally, now my Snort GUI is anchored incorrectly. This is after I seemingly deleted all traces of Snort.

Thrae

Thank you very much! Great to see progress being made on this issue. Don't forget about my one-line suggestion for snort.inc in http://forum.pfsense.org/index.php/topic,26324.msg136986.html#msg136986 for when you get a different return than expected from the gateways. One extra replace shouldn't hurt.

I will upgrade to release (stable) as soon as a package is ready with the fix in ready for testing.

jamesdean

Fixed it. Sorry about that.

James

c0urier

Awesome Jamesdean - Looking forward to the release - Keep up the good work =)

jamesdean

THre

Please do a cat on /usr/local/etc/snort/whitelist/MyWhitelist post output.

cat /usr/local/etc/snort/whitelist/MyWhitelist

James