Snort ignoring passlist



  • I've been using pfsense at home for years. I've been running snort on it about 9months. Early on i found i needed to pass-list certain IP ranges. it stopped the blocks and worked fine till the other where i updated a number of packages (although i'm not sure if snort was one of them).
    While i have been having ISP issues which are now resolved, since the upgrades snort seems to be ignoring the passlist so is blocking my work IP ranges again. its currently banned me 3hours!

    work IP has been confirmed its in the alias used for the passlist.
    at least it proves snort is working, but any ideas whats gone wrong and why passlist isnt working anymore?



  • @veehexx said in Snort ignoring passlist:

    I've been using pfsense at home for years. I've been running snort on it about 9months. Early on i found i needed to pass-list certain IP ranges. it stopped the blocks and worked fine till the other where i updated a number of packages (although i'm not sure if snort was one of them).
    While i have been having ISP issues which are now resolved, since the upgrades snort seems to be ignoring the passlist so is blocking my work IP ranges again. its currently banned me 3hours!

    work IP has been confirmed its in the alias used for the passlist.
    at least it proves snort is working, but any ideas whats gone wrong and why passlist isnt working anymore?

    First, make sure the pass list you need is actually assigned to the interface. There are two steps to effectively using a Pass List. First is of course creating the list on the PASS LISTS tab. Second, and most important, is to go to the INTERFACE SETTINGS tab and actually assign the new Pass List to the interface. Do that down in the section for Networks Snort Should Inspect. There is a drop-down selector to choose the Pass List for the interface. After making any changes on this tab, you must save them and then restart Snort on the affected interface.

    In your case, sounds like your Work IP address range needs to be put in a firewall alias (which you said it is), then that alias assigned in the Address box on the Pass List edit screen.

    Look under DIAGNOSTICS > TABLES in pfSense and verify you see a table with the name of your alias and that table has the correct IP addresses in it.



  • @bmeeks said in Snort ignoring passlist:

    Second, and most important, is to go to the INTERFACE SETTINGS tab and actually assign the new Pass List to the interface. Do that down in the section for Networks Snort Should Inspect. There is a drop-down selector to choose the Pass List for the interface. After making any changes on this tab, you must save them and then restart Snort on the affected interface.

    In your case, sounds like your Work IP address range needs to be put in a firewall alias (which you said it is), then that alias assigned in the Address box on the Pass List edit screen.

    Hopefully that's the fix... didn't have it defined in the 'pass list' dropdown from Snort interface > Wan Settings > 'Choose the Networks Snort Should Inspect and Whitelist' section.
    I guess something improved with detection when i updated, as I've had a passlist defined for many months without my WorkIP range being blocked. reality was the passlist was never assigned to an interface.



  • @veehexx said in Snort ignoring passlist:

    Hopefully that's the fix... didn't have it defined in the 'pass list' dropdown from Snort interface > Wan Settings > 'Choose the Networks Snort Should Inspect and Whitelist' section.

    That shoud fix it. A Pass List is not automatically assigned when created because Snort does not know which interface to use it on (in the case of multiple interfaces). To keep the code simple, it just assumes there may be more than one interface in use and waits for the user to assign a given Pass List to an interface. There is a default Pass List that is used until a custom one is assigned. That default list includes the DNS server IP addresses, the WAN IP, locally-attached networks, VPNs and virtual IPs. The default list works most of the time, especially for home users.