Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort blocking pass list

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 691 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsense7515
      last edited by

      Hello,

      We have pfsense with version 2.4.4-RELEASE (amd64). We setup snort package version 3.2.9.7_2. We activated several rules which generates alerts. We created pass list with many ip addresss to whitelist (not blocking). We associated this pass list to WAN Interface. Problem encounter pass list is not considered. Do you have any idea please ?

      Thank You for your help

      Regards

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @pfsense7515
        last edited by

        @pfsense7515 said in Snort blocking pass list:

        Hello,

        We have pfsense with version 2.4.4-RELEASE (amd64). We setup snort package version 3.2.9.7_2. We activated several rules which generates alerts. We created pass list with many ip addresss to whitelist (not blocking). We associated this pass list to WAN Interface. Problem encounter pass list is not considered. Do you have any idea please ?

        Thank You for your help

        Regards

        After you assigned the Pass List to the interface, did you restart Snort on that interface? Pass Lists contents are only read once during startup of Snort on an interface.

        You also really need to consider updating. How did you even install that version of Snort? It has been out of date for quite some time.

        P 1 Reply Last reply Reply Quote 0
        • P
          pfsense7515 @bmeeks
          last edited by

          @bmeeks

          Hello thank you for your reply. About your questions

          • did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ?

          -How did you even install that version of Snort ? We setup integrated packages includes on pfsense

          We are aware that it is necessary to update. Do you have any idea other suggestions please ?

          Thanks a lot

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @pfsense7515
            last edited by bmeeks

            @pfsense7515 said in Snort blocking pass list:

            @bmeeks

            Hello thank you for your reply. About your questions

            • did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ?

            -How did you even install that version of Snort ? We setup integrated packages includes on pfsense

            We are aware that it is necessary to update. Do you have any idea other suggestions please ?

            Thanks a lot

            No, I have no other suggestions if you have done all of the following:

            1. Open the INTERFACE SETTINGS tab for the affected Snort interface and select the desired Pass List by name in the drop-down selector for Pass List assignment.

            2. SAVE that change and return to the INTERFACES tab in Snort.

            3. Click the icon on the affected interface to restart Snort.

            If Snort has already previously blocked a particular IP address, then you must manually remove that block by going to the BLOCKED tab and deleting the address from the list (or just clear all blocks). Snort hands off blocking to pfSense, so restarting Snort or stopping Snort will not unblock a previoulsy blocked IP address. Just pointing that out because some folks think otherwise. Snort is not dynamic. It only reads a Pass List when starting, and it can't "unblock" anything. When a Snort alert triggers, Snort extracts the IP from the triggering packet and sends it to the firewall for blocking. After that, pfSense itself holds the block, not Snort.

            You really need to update your firewall. Running out of date software on a critical component such as a network firewall is not wise.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.