Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort passlist not read after adding FQDN to alias

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 431 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberzeus
      last edited by

      Setup

      • pfSense: v2.4.1

      • Snort: v3.2.9.5_3

      Issue

      After adding an FQDN entry to an alias then used to define a passlist, the alias portion of the passlist is silently ignored.  Steps to reproduce are shown below.

      I understand that passlists do not support FQDNs however, the system should at least throw some kind of error or better yet, maybe just read the alias and ignore the invalid entries. The current behavior is possibly the worst of all in that the silent ignore leaves the user thinking the passlist is being employed when in reality it is not thereby creating a precarious situation where one could get locked out of their own system.

      Steps to reproduce

      • Create an alias with a few IP addresses.

      • Create a passlist that references the above alias.

      • Go to the desired interface config and set it to use the above passlist.

      • Click the View List button to confirm the passlist is being read as expected.

      • Save changes and Restart the interface.

      • Add an FQDN to the alias previously created - be sure to Apply after saving changes.

      • Go to the interface config where the passlist was installed and click the View List button to check the passlist.  It should no longer appear as expected - i.e. the alias portion of the list is ignored.

      • Remove the FQDN just added - be sure to Apply after saving changes.

      • Go to the interface config where the passlist was installed and click the View List button to check the passlist.  The list should be read as expected.

      NOTE: The issue occurs when the FQDN is saved as opposed to when those changes are applied (i.e. using the Apply button) as one might expect.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        The code originally threw up an error when an FQDN alias was used.  Maybe that logic got lost when the GUI code was converted over to the Bootstrap interface in pfSense.  I will need to dig into it and see why the error is not flagged when saving the Pass List edit with an FQDN alias.

        One possibilty is that if the aliases are nested (meaning actual IP addresses mixed in with an FQDN alias) the code is getting tripped up.  Just out of curiosity, have you tried using a single FQDN alias (in other words, no mixed IP addresses in with it) to see if that generates an error when saving the edited Pass List?

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.