Pass list is not working in Suricata on PFSENSE ( latest version )
-
Hello , I hope you doing well .
the pass list that I have been added trough pfsense for suricata , will not add in suricata config file so all of the alerts will trigger on the ip addresses that I have been added in the pass list
please tell me what can I do about it ?
step to reporduce :
create a pass list
restart suricata
now go to the shell and look at the config file of suricata :
ps -aux | grep suricata
now cat the config file and grep for pass_list
go and see the content
please help
Thanks .
-
IP on Pass List: alert is still logged, but no action (block) happens.
IP on Suppress list: alert matching the suppression rule is not logged (no alert) and thus not blocked.
-
Oh wait I misread that, are you saying the pass list isn't taking effect? Is it set on the interface's settings tab?
-
@lovidi6842 said in Pass list is not working in Suricata on PFSENSE ( latest version ):
Hello , I hope you doing well .
the pass list that I have been added trough pfsense for suricata , will not add in suricata config file so all of the alerts will trigger on the ip addresses that I have been added in the pass list
please tell me what can I do about it ?
step to reporduce :
create a pass list
restart suricata
now go to the shell and look at the config file of suricata :
ps -aux | grep suricata
now cat the config file and grep for pass_list
go and see the contentplease help
Thanks .
You are not understanding how the package works. You should never be in the CLI when using the GUI package, and if you do go there, you must be in the proper sub-directory for the configured interface. The PHP GUI code rewrites the
suricata.yamlconf file for each interface each time you save a change in the GUI. Furthermore, the files you see in the/usr/local/etc/suricatadirectory are not used to configure the Suricata interfaces. I have a feeling that's where you are looking for the Pass List. It will never show up there. Instead, there is a sub-directory underneath/usr/local/etc/suricatafor each configured Suricata interface. Look in the appropriate sub-directory to find thesuricata.yamland other conf files for an interface.You must do three things when you add a custom Pass List.
-
First, of course, you must create the Pass List on the PASS LIST tab and save it with a name.
-
Next, go to the INTERFACE SETTINGS tab for the interface where you want to use a Pass List and scroll down to the Pass List drop-down selector and select the Pass List in the control. Save the change. This assigns the pass list to the interface. A lot of new users overlook this critical step!
-
Finally, restart Suricata on the changed interface by clicking the icon on the INTERFACES tab.
The Pass List function works just fine in the Suricata package. It is "the user" that is not working in this case ...
. -
-
@bmeeks Thanks for your reply , as I saw there is not Pass list section in the interface tab .
There is an "External Net" with this description :
"Choose the External Net you want this interface to use.
External Net is networks that are not Home Net. Most users should leave this setting at default.
Create a Pass List and add an Alias to it, and then assign the Pass List here for custom External Net settings. "is is the one that you said shoud be set that the pass list take affect ?
-
@lovidi6842 if you have Block Offenders unchecked then the Pass List option isnโt shown as itโs irrelevant.
-
@teamits Thanks you <3
-
@lovidi6842 said in Pass list is not working in Suricata on PFSENSE ( latest version ):
@teamits Thanks you <3
Or, if you have Inline IPS Mode enabled, there is no Pass List option then as it is not used in that mode. For Inline IPS blocking, you need to create your own Custom Rules with the PASS action. But in reality the Pass List function is really not needed with Inline IPS Mode.
