Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort in 2.3.2 and /32s

    Firewalling
    2
    2
    514
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mattym
      last edited by

      hi,

      Basically I have snort installed on 2.3.2 PFSense. I need to whitelist networks as well as certain hosts. Ive created a whitelist via a networks alias, attached this to a passlist, then enabled that under the WAN snort interface. It seems to ignore a /32 and lets it get blocked. Im in a catch 22 as I could add just a hosts list if thats the problem but I need certain networks whitelisted. :/ Looking at its self generated lists it just has the IP for single hosts, as in no /32 after the IP but that shouldn't really matter?

      thanks

      matt

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        The missing /32 on a single host should not matter.  Two things come to mind if you are still getting blocks on a whitelisted IP.

        1.  Did you go to the Snort Interface in EDIT mode, assign the whitelist in the appropriate drop-down, then save the update and restart Snort on the interface?

        2.  Do you by chance have a duplicate Snort process that may be ignoring your whitelist?  Under some conditions a duplicate Snort process can fire off for an interface. To check this execute this command from a shell prompt:

        
ps -ax | grep snort

        That should show exactly one process per interface.  If you see more Snort procesess than you have configured interfaces, then kill them all and restart Snort on each interface in the GUI.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post