Snort whitelist seemingly not working
-
Hi,
I've got an IP address configured in the whitelist and the whitelist is configured in the interface tab yet I'm still seeing log entries showing ping is blocked.
Any ideas?
-
Which version are you using? Currently snort package does not quit its instance when restarted and there starts a new one after every rule update. Unuseable in my opinion.
You can check how many times snort is running with ps aux | grep snort on the shell. If you kill all and restart snort whitelist will work - I think.
snort-dev does not show this behaviour. But JamesDean issued a warning to install that on mainline version of pfSense. Dont know why, because it is running more stable on my 2.0.1 system. You just can't see blocked hosts at the moment - only in the snort2c table. Sometimes it stops working without obvious reason. For a version in development it works quite good. Maybe there are sideeffects I did not realize yet.Greets, Judex
-
I've got an IP address configured in the whitelist and the whitelist is configured in the interface tab yet I'm still seeing log entries showing ping is blocked.
Any ideas?
Did you reboot pfSense? There seems to be a bug currently whereby "stopping" or "restarting" snort doesn't really do that, and simply launches another instance without properly killing the previously running one, so that keeps sticking to the old rules, or so it seems.
-
I'm using 2.01 with Snort installed in last few days… Snort 2.9.2.3 pkg v. 2.2.1
As I'm new to snort I'm stumbling along really... I've enabled basic rules and emerging threats and ticked all categories and pre-processors...
Seeing both of your posts I just rebooted my two firewalls and still see the following in my System Logs:
ET SCAN Cisco Torch SNMP Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} MY_NAGIOS_HOST -> IP:SNMPBut I've whitelisted my Nagios box so won't expect to see anything about traffic from it.
Is this the only log - it's hard to see what's happening with only system log and snort widget on dashboard.