Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort whitelist seemingly not working

    pfSense Packages
    3
    4
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srthomas
      last edited by

      Hi,

      I've got an IP address configured in the whitelist and the whitelist is configured in the interface tab yet I'm still seeing log entries showing ping is blocked.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • J
        judex
        last edited by

        Which version are you using? Currently snort package does not quit its instance when restarted and there starts a new one after every rule update. Unuseable in my opinion.
        You can check how many times snort is running with ps aux | grep snort on the shell. If you kill all and restart snort whitelist will work - I think.
        snort-dev does not show this behaviour. But JamesDean issued a warning to install that on mainline version of pfSense. Dont know why, because it is running more stable on my 2.0.1 system. You just can't see blocked hosts at the moment - only in the snort2c table. Sometimes it stops working without obvious reason. For a version in development it works quite good. Maybe there are sideeffects I did not realize yet.

        Greets, Judex

        2.1-RELEASE (amd64)
        built on Wed Sep 11 18:17:48 EDT 2013
        FreeBSD 8.3-RELEASE-p11

        1 Reply Last reply Reply Quote 0
        • rcfaR
          rcfa
          last edited by

          @srthomas:

          I've got an IP address configured in the whitelist and the whitelist is configured in the interface tab yet I'm still seeing log entries showing ping is blocked.

          Any ideas?

          Did you reboot pfSense? There seems to be a bug currently whereby "stopping" or "restarting" snort doesn't really do that, and simply launches another instance without properly killing the previously running one, so that keeps sticking to the old rules, or so it seems.

          1 Reply Last reply Reply Quote 0
          • S
            srthomas
            last edited by

            I'm using 2.01 with Snort installed in last few days… Snort 2.9.2.3 pkg v. 2.2.1

            As I'm new to snort I'm stumbling along really... I've enabled basic rules and emerging threats and ticked all categories and pre-processors...

            Seeing both of your posts I just rebooted my two firewalls and still see the following in my System Logs:
            ET SCAN Cisco Torch SNMP Scan [Classification: Attempted Information Leak] [Priority: 2] {UDP} MY_NAGIOS_HOST -> IP:SNMP

            But I've whitelisted my Nagios box so won't expect to see anything about traffic from it.

            Is this the only log - it's hard to see what's happening with only system log and snort widget on dashboard.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.