Suricata Ignoring IPs in Pass List Aliases (Yes I've Restarted)

abujammy

Hey all, I hope I can get an answer to this. Just when I thought I was starting to understand all this. :D

All the other IPs that I have in this list work fine, but when I added the Github IPs to it, they just simply refuse to work.

Please see the screenshots for more detail. Basically I:

Created a firewall alias list
Created a suricata pass list based on the alias list
Restarted the entire router
Triggered an alert for the IP I added to the alias list
That IP is still added to the suricata block list.

Please help me to understand what's going on.
blocked-hosts.png_thumb

firewall-alias-list.png_thumb
alerts-after-change-and-restart.png_thumb
pass-list.png_thumb

doktornotor

You need to assign the custom pass list to interface.

bmeeks

@doktornotor is 100% correct. This is a common oversight by new users, so I will give a brief review of how PASS LISTs work. This is true for both Suricata and Snort.

If you do nothing, the package creates and uses a default hidden PASS LIST that includes the WAN IP, configured DNS servers on the firewall, the default gateway, virtual IPs, VPNs and all locally attached networks. This works for a majority of users. You don't have to do anything for the default list to work.

If you want to add additional IP addresses or networks, or remove some of the built-in components, then you must create a custom PASS LIST. You can assign a single alias to a custom PASS LIST. That single alias can contain as many IP addresses as you like, but none of them can be FQDN aliases. FQDN aliases are not supported.

Once you create your custom PASS LIST, you then must tell Suricata (or Snort) where to use it. To do this, go to the INTERFACE SETTINGS tab for the interface where you want to use the PASS LIST and select it in the PASS LIST drop-down (see @doktornotor's screenshot). Save the change and then restart Suricata (or Snort) on the interface so it will pickup the new PASS LIST.

I should probably add a reminder/nag dialog to the PASS LIST screen to alert users to this requirement.

Bill

abujammy

@doktornotor thank you SO MUCH! This is the part that I was missing!!

@bmeeks I read the notes on the pass list screen like 12 times so a note there that it needs to be enabled on each interface would have definitely helped.

So that leads me to one more smaller question, now that I know that I can only have one pass list per interface, I have my alias lists all neat and organized into groups, so therefore I want multiple alias lists to be applied as pass lists to a given interface. Otherwise I either have to unorganize my aliases or duplicate them in one big "master" pass list alias list. Is there a third option that I'm unaware of? Is there a way to pull multiple lists together via a URL that pfSense provides for each alias like I can do with pfBlocker's blocklists?

SteveITS

@abujammy:

I want multiple alias lists to be applied as pass lists to a given interface. Otherwise I either have to unorganize my aliases or duplicate them in one big "master" pass list alias list.

A firewall alias can contain other aliases…on the Firewall: Aliases page it says, "You can enter the name of an alias instead of the host, network or port in all fields that have a red background."

abujammy

@teamits I completely missed that. That totally solves my problem. Thank you as well. I'm loving this community so far. :D

bera

hi guys…

i recently update my pfsense to version 2.3-release as per snapshot attached...

apparently suricata do detect the alias i declare under firewall > alias > ip menu...

but only the "defaults" are available in the suricata > interfaces > wan settings > Networks Suricata Should Inspect and Protect drop down menu even though i already declare it in the pass list menu ...

please advise and thank you in advance

ntct

+1

I use suricata 3.0_5

Pass Lists created on the PASS LIST tab are not available in the drop-down for selection on the INTERFACE tab for a Suricata instance.

bmeeks

@ntct:

+1

I use suricata 3.0_5

Pass Lists created on the PASS LIST tab are not available in the drop-down for selection on the INTERFACE tab for a Suricata instance.

I had not noticed this. I will investigate. Thanks for the report.

Bill

pfsenseboonie

@bmeeks:

@ntct:

+1

I use suricata 3.0_5

Pass Lists created on the PASS LIST tab are not available in the drop-down for selection on the INTERFACE tab for a Suricata instance.

I had not noticed this. I will investigate. Thanks for the report.

Bill

I second this. Just upgraded to 2.3 and it has suricata 3.0_5 the passlist are not selectable from the dropdowns in the interface.

tehknowledge

+1 this issue as well. Just upgraded to 2.3 and Suricata will not allow me to use the custom alias for home net. I do not see a passlist anymore. ???

bmeeks

@tehknowledge:

+1 this issue as well. Just upgraded to 2.3 and Suricata will not allow me to use the custom alias for home net. I do not see a passlist anymore. ???

There is a typo in the Bootstrap conversion code for Suricata. Actually the Snort version of a variable got pasted in there by yours truly without him realizing it. I found the bug and fixed it today in the version I will be posting very soon (hopefully on Thursday US Eastern time). I have one more issue I'm working on, then the pull request will be ready.

Bill

bera

awesome…

i thought my configuration went south after the upgrade... :o :o :o

keep up the good work....

many thanks...

tehknowledge

You rock Bill. Thank you!