Snort 2.9.2.3 pkg v. 2.5.1 Whitelists
-
Snort is ignoring whitelists…
I have checked all settings and everything seems correct. My alias is setup correct but snort still blocks whitelist ips / addresses.
I don't know where these are added within the file system, so I could check or manually create these entries.
Snort is currently off for now untill I can resolve this issue.
Thanks for any help...
-
Same problem here. I've tried both "Host" and "Network" formats for the Aliases configuration but Snort is not respecting them at all.
-
Tried the same thing.
-
I haven't figured out a place in the filesystem where the whitelist should be entered either. I can't find any whitelist files for Snort despite quite a bit of hunting. Unfortunately I've never used Snort outside of PFSense so I'm not familiar with its config files.
Still looking…
-
Add the following to your suppress list (Services: Snort: Suppression: Edit)
suppress gen_id 0, sig_id 0, track by_src, ip xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is the IP you wish to whitelist. Make sure to restart Snort so it takes effect.
"gen_id 0, sig_id 0" is a global parameter and causes it to apply to all rules.
I've tested it every which way and it certainly appears to be working!
-
Thanks! Worked like a charm…
-
Ok, this seems to work for certain IPs, but not for Subnets… I have the same problem adding whitelist, aliases to the config but IPs from Homenet still getting blocked...
-
For networks try this in suppress list:
suppress gen_id 0, sig_id 0, track by_src, ip [xxx.xxx.xxx.xxx/29,yyy.yyy.yyy.yyy/28,zzz.zzz.zzz.zzz/28]All networks must be in the same suppress line.
-
great, that saved my life :) Had the same problem a while and didnt find a solution.