Why is Snort ignoring my Pass List(Alias)?
After I went from pfSense version 2.2.6 to 2.3 I began having issues connecting via RDP.
I have just been ignoring it for a while, because it wasn't that important(and vacation ;D).
But today it really annoyed me, so I looked closer. It seems that every time I try to connect via RDP, my IP ends up in the "Blocked" list (I'm connecting from the same IP each time, where I have NAT/FW rules that allow connection from only that specific global IP).
I have had this specific IP all along(before upgrade) in my Snort Pass List(Alias).
Please see the attached pictures for more info.
If you need any info, just ask.
Any help/hint is much appreciated.
magicteddy last edited by
same problem with suricata, FTP download stops blocked by suricata, whitelisted the external Server and unblocked, startet over, it stops again :'( whitelisted the whole subnet /16 of the FTP Server but it was the same IP, unblocked, startet over, bam blocked
I use legacy mode to inspect, the download: ftp://ftp.gwdg.de/pub/linux/knoppix/dvd/KNOPPIX_V7.6.1DVD-2016-01-16-DE.iso via wget.
I would consider this a serious issue(for me at least) or maybe even a bug, unless I have made some configuration error of course. Which I'm apparently unable to locate by myself :-[
So, is anyone willing "to hold my hand" in this debugging process and/or mabey even better and try this on there own pfSense ;D
khorton last edited by
I'm certainly no expert, but I wonder if possibly there could be two snort instances running. If so, as I understand it, one of them wouldn't be using the settings you make in the GUI. I've read about several examples of this in the forum.
Thanks for the suggestion @khorton
But unfortunately it does not seem to be my issue.
Shell Output - ps -ax | grep snort 30136 - INs 83:34.25 /usr/local/bin/snort -R 9496 -D -l /var/log/snort/sn 30421 - SN 1:16.62 /usr/local/bin/barnyard2 -r 9496 -f snort_9496_igb1. 78985 - S 0:00.00 sh -c ps -ax |grep snort 2>&1 79614 - S 0:00.00 grep snort
As I mentioned earlier, I'm open to any suggestions as I really would like to solve(or at least understand) my issue.