Snort in 2.3.2 and /32s
-
hi,
Basically I have snort installed on 2.3.2 PFSense. I need to whitelist networks as well as certain hosts. Ive created a whitelist via a networks alias, attached this to a passlist, then enabled that under the WAN snort interface. It seems to ignore a /32 and lets it get blocked. Im in a catch 22 as I could add just a hosts list if thats the problem but I need certain networks whitelisted. :/ Looking at its self generated lists it just has the IP for single hosts, as in no /32 after the IP but that shouldn't really matter?
thanks
matt
-
The missing /32 on a single host should not matter. Two things come to mind if you are still getting blocks on a whitelisted IP.
1. Did you go to the Snort Interface in EDIT mode, assign the whitelist in the appropriate drop-down, then save the update and restart Snort on the interface?
2. Do you by chance have a duplicate Snort process that may be ignoring your whitelist? Under some conditions a duplicate Snort process can fire off for an interface. To check this execute this command from a shell prompt:
ps -ax | grep snort
That should show exactly one process per interface. If you see more Snort procesess than you have configured interfaces, then kill them all and restart Snort on each interface in the GUI.
Bill