Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort passlist - URL table IPs alias

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nagaraja
      last edited by

      Hi guys

      i use snort since pfsense 1.2.3. and i always thought about limitation of snort's passlist, even if an alias can nest other aliases.
      Now i am doing some tests to use an URL table ip alias, loaded from a webserver, as passlist but it does not seem to work.

      Could anyone confirm this or give some tip to get it work? I did not find anything on the forum about.

      NB:

      1. I always use ips in passlist, never hostnames
      2. passlist is bounded to interfaces
      3. i always restart interfaces to reload changes

      forgot to say: i actually can view the populated url table from Diag > Tables

      Thank in advance

      Walter

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        The plugin that does the blocking for Snort on pfSense assumes a PassList contains only actual IP addresses.  The GUI code, when building the configuration files for an interface, will decode all the aliases into IP addresses and write only the IPs into the file handed off to the binary.  At the moment that GUI code does not "understand" URL table IPs and thus is not processing them into IP addresses.

        I can take a look at that to see if improvements are possible.  I will add it to my TODO list for Snort.

        Bill

        1 Reply Last reply Reply Quote 0
        • N
          nagaraja
          last edited by

          Hey Bill,

          for the infos i got, the only address snort is able to understand and whitelist, is only the URL address record inside URL alias. In other terms http://myserverip:port/list.something instead of the list content. I  also think this could be bad for snort since it allows numeric values only

          Thanks for your quick reply

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @nagaraja:

            Hey Bill,

            for the infos i got, the only address snort is able to understand and whitelist, is only the URL address record inside URL alias. In other terms http://myserverip:port/list.something instead of the list content. I  also think this could be bad for snort since it allows numeric values only

            Thanks for your quick reply

            Yes, if the text URL got written into the actual passlist/whitelist file produced for the Snort binary that would cause errors.  However, the code in the binary plugin that parses the pass list entries will discard any non-numeric values and print an error to the system log.  So it should not cause the entire pass list to be ignored.  Just the offending line or lines would be ignored.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.