Snort passlist - URL table IPs alias



  • Hi guys

    i use snort since pfsense 1.2.3. and i always thought about limitation of snort's passlist, even if an alias can nest other aliases.
    Now i am doing some tests to use an URL table ip alias, loaded from a webserver, as passlist but it does not seem to work.

    Could anyone confirm this or give some tip to get it work? I did not find anything on the forum about.

    NB:

    1. I always use ips in passlist, never hostnames
    2. passlist is bounded to interfaces
    3. i always restart interfaces to reload changes

    forgot to say: i actually can view the populated url table from Diag > Tables

    Thank in advance

    Walter



  • The plugin that does the blocking for Snort on pfSense assumes a PassList contains only actual IP addresses.  The GUI code, when building the configuration files for an interface, will decode all the aliases into IP addresses and write only the IPs into the file handed off to the binary.  At the moment that GUI code does not "understand" URL table IPs and thus is not processing them into IP addresses.

    I can take a look at that to see if improvements are possible.  I will add it to my TODO list for Snort.

    Bill



  • Hey Bill,

    for the infos i got, the only address snort is able to understand and whitelist, is only the URL address record inside URL alias. In other terms http://myserverip:port/list.something instead of the list content. I  also think this could be bad for snort since it allows numeric values only

    Thanks for your quick reply



  • @nagaraja:

    Hey Bill,

    for the infos i got, the only address snort is able to understand and whitelist, is only the URL address record inside URL alias. In other terms http://myserverip:port/list.something instead of the list content. I  also think this could be bad for snort since it allows numeric values only

    Thanks for your quick reply

    Yes, if the text URL got written into the actual passlist/whitelist file produced for the Snort binary that would cause errors.  However, the code in the binary plugin that parses the pass list entries will discard any non-numeric values and print an error to the system log.  So it should not cause the entire pass list to be ignored.  Just the offending line or lines would be ignored.

    Bill


Log in to reply