Non ip(\) parameter passed with white list, skipping…



  • Greetings,

    I am persistently receiving this entry in the system log:

    snort 11720 Non ip() parameter passed with white list, skipping…

    I've checked the Pass list and the contents look fine.  I have 4 other firewalls at different locations and they do not have the same log entry.

    FYI:  The Pass list contains aliases with host and network ip address values.

    We can't afford to have gaps in our pass list as some clients don't access their content during normal business hours and missing their one time a month would not go over well.

    Thoughts?

    Thanks ahead of time for your comments.

    Dino



  • This is probably being caused by an Alias that is empty.  Another possibility is a network that was previously defined has now been deleted.  In short, this means the Pass List contains a line for an interface or alias, but when the code attempts to get the IP address for that interface or alias it fails and an empty string is returned.

    Bill



  • Thanks for the reply!

    Interesting…  CARP configuration with snort sync enabled.  Happening on the primary but not the secondary.

    Thoughts?



  • I still stand by my theory that an Alias is not getting resolved to its actual IP address on the box with the error message.  The GUI code uses pfSense system calls to convert alias names to their actual IP addresses.  The actual IP addresses are then written into the pass list file when it is created.  The same thing happens for interfaces, DNS servers and the other parameters listed on the Pass List edit page.  They all get resolved to actual IP addresses with masks and are then written to the Pass List file Snort or Suricata uses.

    If for any reason an Alias, an interface, a DNS server or a gateway returns an empty address, then that empty address shows up in the file and generates the error.  You can open and view the actual Pass List text file being used by the interface.  Navigate to /usr/local/etc/snort/snort_xxxxx/ and open the pass list file in the directory.  The "_xxxxx" term will be your physical interface name along with a GUID random number.  You can browse to the file using DIAGNOSTICS > EDIT from the pfSense menu.

    Bill


Log in to reply