Why is Snort ignoring my Pass List(Alias)?



  • Hi
    After I went from pfSense version 2.2.6 to 2.3 I began having issues connecting via RDP.
    I have just been ignoring it for a while, because it wasn't that important(and vacation ;D).

    But today it really annoyed me, so I looked closer. It seems that every time I try to connect via RDP, my IP ends up in the "Blocked" list (I'm connecting from the same IP each time, where I have NAT/FW rules that allow connection from only that specific global IP).
    I have had this specific IP all along(before upgrade) in my Snort Pass List(Alias).

    Please see the attached pictures for more info.
    If you need any info, just ask.

    Any help/hint is much appreciated.

    Thanks












  • Hi,

    same problem with suricata, FTP download stops blocked by suricata, whitelisted the external Server and unblocked, startet over, it stops again  :'( whitelisted the whole subnet /16 of the FTP Server but it was the same IP, unblocked, startet over, bam blocked
    I use legacy mode to inspect, the download: ftp://ftp.gwdg.de/pub/linux/knoppix/dvd/KNOPPIX_V7.6.1DVD-2016-01-16-DE.iso via wget.

    -teddy



  • Please, anyone!
    I would consider this a serious issue(for me at least) or maybe even a bug, unless I have made some configuration error of course. Which I'm apparently unable to locate by myself  :-[

    So, is anyone willing "to hold my hand" in this debugging process and/or mabey even better and try this on there own pfSense ;D



  • I'm certainly no expert, but I wonder if possibly there could be two snort instances running.  If so, as I understand it, one of them wouldn't be using the settings you make in the GUI.  I've read about several examples of this in the forum.



  • Thanks for the suggestion @khorton
    But unfortunately it does not seem to be my issue.

    
    Shell Output - ps -ax | grep snort
    30136  -  INs     83:34.25 /usr/local/bin/snort -R 9496 -D -l /var/log/snort/sn
    30421  -  SN       1:16.62 /usr/local/bin/barnyard2 -r 9496 -f snort_9496_igb1.
    78985  -  S        0:00.00 sh -c ps -ax |grep snort 2>&1
    79614  -  S        0:00.00 grep snort
    
    

    As I mentioned earlier, I'm open to any suggestions as I really would like to solve(or at least understand) my issue.
    Thanks


Log in to reply