Snort Blocking Pass List IP Addresses
-
So I have snort setup on the latest pfsense version 2.32 P1 platform nano bsd.
I have snort personal edition installed and have followed the basic setup guides for snort and the basic pass list guides for snort from on this url below:
https://doc.pfsense.org/index.php/Snort_passlist
I have setup the aliases in the firewall menu and setup the passlist in snort for my wan interface.
I have completed these instructions however Snort is still blocking the passlist ip addresses. I am not using any FQDN addresses on the passlist as that is not supported by snort.
I have searched the forums for an answers but I cannot find an answer yet. What could be wrong here? What could be preventing snort from obeying my passlist?
Any assistance would be greatly appreciated.
-
Sounds a lot like my issue, which I posted about here(no solution yet) https://forum.pfsense.org/index.php?topic=116671.msg651032
My current workaround was to add the IP in one of my suppression lists like below(I've hidden part of my connecting IP):
#ET POLICY RDP connection confirm
suppress gen_id 1, sig_id 2001330, track by_dst, ip XXX.XXX.184.64 -
Up for this.
I think I am too experiencing this problem on the latest version of pfsense 2.3.4-RELEASE-p1 (amd64)
Any update?
-
I assume that after you assigned the Pass List to the interface on the INTERFACE SETTINGS tab and saved that change that you also restarted Snort. If not, then you must do that. Pass Lists are only parsed and evaluated when Snort starts up. So any changes made during a Snort run are not seen until the next time the service is restarted.
I have tested this multiple times in my VM testing environment and pass lists always worked for me. I have a Kali Linux machine I use to scan and otherwise "harrass" my pfSense virtual machines with Snort installed. Snort will always block the Kali machine when it's not in a Pass List, and not block it when the Kali machine IP is in the Pass List.
Bill