Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is Snort ignoring my Pass List(Alias)?

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brandur
      last edited by

      Hi
      After I went from pfSense version 2.2.6 to 2.3 I began having issues connecting via RDP.
      I have just been ignoring it for a while, because it wasn't that important(and vacation ;D).

      But today it really annoyed me, so I looked closer. It seems that every time I try to connect via RDP, my IP ends up in the "Blocked" list (I'm connecting from the same IP each time, where I have NAT/FW rules that allow connection from only that specific global IP).
      I have had this specific IP all along(before upgrade) in my Snort Pass List(Alias).

      Please see the attached pictures for more info.
      If you need any info, just ask.

      Any help/hint is much appreciated.

      Thanks

      Global_IP.jpg
      Global_IP.jpg_thumb
      Snort-Block-Trigger(MSTSC).jpg
      Snort-Block-Trigger(MSTSC).jpg_thumb
      Snort-Block-List.jpg
      Snort-Block-List.jpg_thumb
      Snort-Pass-List.JPG
      Snort-Pass-List.JPG_thumb
      Firewall-Alias(Snort).jpg
      Firewall-Alias(Snort).jpg_thumb

      SG-4860 w/128GB SSD & 8GB RAM

      1 Reply Last reply Reply Quote 0
      • magicteddyM
        magicteddy
        last edited by

        Hi,

        same problem with suricata, FTP download stops blocked by suricata, whitelisted the external Server and unblocked, startet over, it stops again  :'( whitelisted the whole subnet /16 of the FTP Server but it was the same IP, unblocked, startet over, bam blocked
        I use legacy mode to inspect, the download: ftp://ftp.gwdg.de/pub/linux/knoppix/dvd/KNOPPIX_V7.6.1DVD-2016-01-16-DE.iso via wget.

        -teddy

        @Work Lanner FW-7525B pfSense 2.7.2
        @Home APU.2C4 pfSense 2.7.2
        @CH APU.1D4 pfSense 2.7.2

        1 Reply Last reply Reply Quote 0
        • B
          brandur
          last edited by

          Please, anyone!
          I would consider this a serious issue(for me at least) or maybe even a bug, unless I have made some configuration error of course. Which I'm apparently unable to locate by myself  :-[

          So, is anyone willing "to hold my hand" in this debugging process and/or mabey even better and try this on there own pfSense ;D

          SG-4860 w/128GB SSD & 8GB RAM

          1 Reply Last reply Reply Quote 0
          • K
            khorton
            last edited by

            I'm certainly no expert, but I wonder if possibly there could be two snort instances running.  If so, as I understand it, one of them wouldn't be using the settings you make in the GUI.  I've read about several examples of this in the forum.

            1 Reply Last reply Reply Quote 0
            • B
              brandur
              last edited by

              Thanks for the suggestion @khorton
              But unfortunately it does not seem to be my issue.

              
Shell Output - ps -ax | grep snort
30136  -  INs     83:34.25 /usr/local/bin/snort -R 9496 -D -l /var/log/snort/sn
30421  -  SN       1:16.62 /usr/local/bin/barnyard2 -r 9496 -f snort_9496_igb1.
78985  -  S        0:00.00 sh -c ps -ax |grep snort 2>&1
79614  -  S        0:00.00 grep snort

              As I mentioned earlier, I'm open to any suggestions as I really would like to solve(or at least understand) my issue.
              Thanks

              SG-4860 w/128GB SSD & 8GB RAM

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.