Snort ignoring passlist
-
I've been using pfsense at home for years. I've been running snort on it about 9months. Early on i found i needed to pass-list certain IP ranges. it stopped the blocks and worked fine till the other where i updated a number of packages (although i'm not sure if snort was one of them).
While i have been having ISP issues which are now resolved, since the upgrades snort seems to be ignoring the passlist so is blocking my work IP ranges again. its currently banned me 3hours!work IP has been confirmed its in the alias used for the passlist.
at least it proves snort is working, but any ideas whats gone wrong and why passlist isnt working anymore? -
@veehexx said in Snort ignoring passlist:
I've been using pfsense at home for years. I've been running snort on it about 9months. Early on i found i needed to pass-list certain IP ranges. it stopped the blocks and worked fine till the other where i updated a number of packages (although i'm not sure if snort was one of them).
While i have been having ISP issues which are now resolved, since the upgrades snort seems to be ignoring the passlist so is blocking my work IP ranges again. its currently banned me 3hours!work IP has been confirmed its in the alias used for the passlist.
at least it proves snort is working, but any ideas whats gone wrong and why passlist isnt working anymore?First, make sure the pass list you need is actually assigned to the interface. There are two steps to effectively using a Pass List. First is of course creating the list on the PASS LISTS tab. Second, and most important, is to go to the INTERFACE SETTINGS tab and actually assign the new Pass List to the interface. Do that down in the section for Networks Snort Should Inspect. There is a drop-down selector to choose the Pass List for the interface. After making any changes on this tab, you must save them and then restart Snort on the affected interface.
In your case, sounds like your Work IP address range needs to be put in a firewall alias (which you said it is), then that alias assigned in the Address box on the Pass List edit screen.
Look under DIAGNOSTICS > TABLES in pfSense and verify you see a table with the name of your alias and that table has the correct IP addresses in it.
-
@bmeeks said in Snort ignoring passlist:
Second, and most important, is to go to the INTERFACE SETTINGS tab and actually assign the new Pass List to the interface. Do that down in the section for Networks Snort Should Inspect. There is a drop-down selector to choose the Pass List for the interface. After making any changes on this tab, you must save them and then restart Snort on the affected interface.
In your case, sounds like your Work IP address range needs to be put in a firewall alias (which you said it is), then that alias assigned in the Address box on the Pass List edit screen.
Hopefully that's the fix... didn't have it defined in the 'pass list' dropdown from Snort interface > Wan Settings > 'Choose the Networks Snort Should Inspect and Whitelist' section.
I guess something improved with detection when i updated, as I've had a passlist defined for many months without my WorkIP range being blocked. reality was the passlist was never assigned to an interface. -
@veehexx said in Snort ignoring passlist:
Hopefully that's the fix... didn't have it defined in the 'pass list' dropdown from Snort interface > Wan Settings > 'Choose the Networks Snort Should Inspect and Whitelist' section.
That shoud fix it. A Pass List is not automatically assigned when created because Snort does not know which interface to use it on (in the case of multiple interfaces). To keep the code simple, it just assumes there may be more than one interface in use and waits for the user to assign a given Pass List to an interface. There is a default Pass List that is used until a custom one is assigned. That default list includes the DNS server IP addresses, the WAN IP, locally-attached networks, VPNs and virtual IPs. The default list works most of the time, especially for home users.
-
@bmeeks said in Snort ignoring passlist:
then restart Snort on the affected interface.
In my case this was the problem. I had updated the passlist and it was already assigned to the interface, even the IP list showing with "View List" button next to the dropdown was ok. But it keeped blocking the new IPs added to the passlist until I restarted the snort interface.
-
@vidorado said in Snort ignoring passlist:
@bmeeks said in Snort ignoring passlist:
then restart Snort on the affected interface.
In my case this was the problem. I had updated the passlist and it was already assigned to the interface, even the IP list showing with "View List" button next to the dropdown was ok. But it keeped blocking the new IPs added to the passlist until I restarted the snort interface.
Remember that the Snort package consists of two distinct parts. There is an underlying binary executable that runs as a service, and there is the PHP-driven GUI that generates the configuration files needed by the binary.
When you make changes to Snort's configuration, those changes are written to one of the few text configuration files read by the binary. But the binary only reads those files once during startup. So any changes require restarting the binary so it can "see" the new configuration. The only exception to this is loading new rules. The binary can be signaled via SIGHUP to reload its rules file, but that is all. Other changes require a restart.
When you "view a Pass List" in the GUI, all it is doing is reading the content of the Pass List text file and displaying it for you. If the text file has been rewritten, but the binary not restarted, then what the binary is using will not match what the GUI is showing.
-
J john24634 referenced this topic on
-
J john24634 referenced this topic on
