Snort Passlist IPs still blocking

heliop100 · Aug 16, 2015, 8:10 PM

Hi

I setup one passlist, set on interface, restart the interface.
If I click on view list the IPs are there, but still blocking.
The passlist have networks on CIDR format.

Is it possible pass CIDR networks on Snort PassList?

Thanks.

bmeeks · Aug 17, 2015, 10:09 PM

Yes, CIDR networks are accepted on the PASS LIST. When you say "still blocking", have you removed the original blocks? You need to go to the BLOCKED tab and delete any blocked IPs that are now on a PASS LIST. They should not come back if things are configured properly.

Can you share your PASS LIST? Also check the system log to see if any error messages were recorded indicating Snort may have a problem parsing one or more lines in the PASS LIST file.

Bill

heliop100 · Aug 17, 2015, 10:41 PM

Hi,

Yes, I clean all blocks after restart Snort.

Don't find any error on logs, but block log:

Aug 17 18:06:34 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1224 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 208.70.91.18:51503 -> 186.xxx.xxx.xxx:25
Aug 17 18:06:34 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1224 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 208.70.91.18:51503 -> 186.xxx.xxx.xxx:25

Aug 17 17:12:55 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1097 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.10.67.160:50955 -> 186.xxx.xx.xxx:25
Aug 17 17:12:55 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1097 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.10.67.160:50955 -> 186.xxx.xx.xxx:25

My passlist:

5.10.67.0/24 94.186.192.0/24
174.36.154.0/24
192.69.16.0/24
192.69.17.0/24
192.69.18.0/24
192.69.19.0/24
208.43.37.0/24
208.70.88.0/24
208.70.89.0/24
208.70.90.0/24
208.70.91.0/24
177.72.255.0/24
186.233.243.0/24
186.233.244.0/22
200.144.0.0/22
200.144.0.0/20
200.144.0.0/19
200.144.4.0/22
200.144.8.0/22
200.144.12.0/22
200.144.16.0/20
200.144.24.0/22
200.144.74.0/23
201.55.0.0/19
201.55.0.0/18
201.55.16.0/22
201.55.32.0/19
201.55.60.0/22
177.92.208.0/20
200.155.80.0/23
200.155.82.0/23
200.155.84.0/23
200.155.86.0/24
200.155.87.0/24
200.155.88.0/23
200.155.90.0/23
200.155.92.0/24
200.155.93.0/24
200.155.94.0/23
66.159.106.0/24
66.159.107.0/24

Thanks.

bmeeks · Aug 19, 2015, 12:21 AM

Sorry to pester you with more questions, but I need to be sure I am clear on some of the facts –

Are you getting actual blocks reappearing on the BLOCKED tab and traffic to/from those hosts is actually interrupted, or are you just seeing these entries reappear on the ALERTS tab? I ask because putting an IP on the PASS LIST should prevent blocks from that IP, but it will not prevent future alerts from showing on the ALERTS tab. When something is on a PASS LIST, the alert still happens, but it does not lead to a block.

I have folks using Snort with varying levels of experience with both it and pfSense, so please excuse me if my additional questions are insulting your intelligence… :). Just need to make sure we are using the same terminology and looking in the same places while troubleshooting.

One other question, are you running Snort on WAN, LAN, somewhere else, or all of the above? If multiple interfaces, which one is experiencing this particular problem?

Bill

Halvsvenskeren · Aug 19, 2015, 4:17 AM

Have you configured this??

So it uses your suppress list and not the default one?

rand4505 · Aug 19, 2015, 3:26 PM

Any fix for this yet? I am having the same issue and its pissing me off, having to completely disable Snort/Surcata due to this, same issue with both.

heliop100 · Aug 19, 2015, 6:07 PM

Very strange!

Yes, I setup passlist on interface. And restarted it.
Yes, the IPs are on "Blocked" tab.

But on 08/17 I edit the alias to ad some other IPs, restarted snort again, and voilá. Now it's working perfectly!!!