Snort Blocking /w Rule Force Disabled
Running PFSense 2.3.2-RELEASE-p1 (amd64)
I have snort working in IDS mode, and have set up the IP Rep preproc, using the emerging threats blacklist and an empty whitelist.
I have added several IP's to the whitelist that I have created but when any of them attempt to communicate it blocks them, saying they are whitelisted. I have tried setting the whitelist to unblack as well as trust, and both times it does the same thing, blocking the packet saying that it is whitelisted. The specific rule, 136:2, has been disabled in the in the interface configuration, and even shows up in the alerts as force disabled but it blocks the IP anyways. If the ip is not in the whitelist it lets it through fine, which seems a little absurd to me. So I have suppressed that rule in addition to disabling it and that seems to work. But this should not be operating like this unless I am (probably) missing something. I have stopped and restarted the service after every setting change, after adding the IP to the whitelist, and after disabling the rule. Every time snort starts up fine with no errors. Anyone have any ideas about what exactly I'm doing wrong here?
Some additional testing results:
With the whitelist rule disabled and suppressed the functionality seems to work for other rules. For example there was an alert for an imap error but because the mail server was added to the whitelist it did not block it. To test it I added the IP for my home system to the whitelist and ran a portscan on the firewall, again an alert was generated but the address was not blocked. Meanwhile if I removed the 136:2 rule from the suppress list, leaving it disabled and restarting snort to refresh the list in memory, any attempt to connect to, or scan the firewall immediately results in my home system being blocked because it is in the whitelist.
One night this week I am going to remove snort entirely even and reinstall it to see if it makes any difference. If anyone has any other suggestions please feel free to let me know.
Hey! Did you manage to resolve this issue? Same thing is happening to me as well! Tks a lot!
Sorry for the (very) late reply, stopped checking the thread. I have not resolved the issue, it still works in this counter intuitive manner. As of right now I am just letting it work with the rules suppressed and disabled. We have been working on moving to Suricata inline as a replacement, but haven't moved it from the testing stage yet. I've actually been away from the office for some time now and have to catch up on suricata dev. They were having issues with the inline mode and vlan tags. Hopefully that has been resolved.