Snort ignoring pass lists



  • I'm trying to whitelist some individual IP's until I have a better idea, but it doesn't seem to be working.

    • I created an alias under Firewall >> Aliases which contains a list of the IP's I want to whitelist. screenshot

    • I created a Pass List in Snort which uses the Aliases I created screenshot

    • I enabled the pass list for external net on both the WAN and LAN interfaces in Snort. screenshot 1 screenshot 2

    • Tried bouncing the snort interfaces and rebooting the firewall

    • This IP keeps getting blocked despite being on the pass list. screenshot



  • As of now I only have the pass list enabled for External Net. Do I also need to enable it on Home Net and Pass List?



  • @harmisist said in Snort ignoring pass lists:

    As of now I only have the pass list enabled for External Net. Do I also need to enable it on Home Net and Pass List?

    I think you are misunderstanding the differences between HOME_NET, EXTERNAL_NET and then Pass Lists. HOME_NET and EXTERNAL_NET really don't have anything to do with a Pass List directly. HOME_NET defines the networks (hosts) that Snort is protecting. EXTERNAL_NET defines the networks (hosts) that are assumed to be hostile and on the attack. If you look at most of the Snort rules, you will see $HOME_NET as the "destination" IP and $EXTERNAL_NET as the "source" IP to match. So this tells Snort to look for malicious packets where the "DST IP" is in the HOME_NET defined networks and the "SRC IP" is in the EXTERNAL_NET defined networks. There are some other types of rules where those roles are reversed, but you can get the general idea. The default definition for EXTERNAL_NET is !HOME_NET, which means any network or IP not part of HOME_NET is automatically part of EXTERNAL_NET. If you assign your own list to EXTERNAL_NET, then you can easily turn off most of your alerts unless you really know what you are doing. You should generally never touch the EXTERNAL_NET setting. Same thing for HOME_NET 95% of the time. Do a Google search for "writing snort rules" and you will find a number of tutorials. Reading through those will help you understand what HOME_NET and EXTERNAL_NET are about. Then you can examine some of the actual rules in the Snort package. Go to the RULES tab, choose a rule category in the drop-down, and then click on the SID number hyperlink in the list to view that rule in a modal dialog. All of this will help you understand what Snort is doing and how the rules work. This is crtical! What you have done by altering your EXTERNAL_NET like you did is essentially restrict Snort to alerting only when the offender's IP is in your Pass List. This is 100% the opposite of what you wanted!

    A Pass List, in the Snort package on pfSense, simply contains a list of addresses that should never be blocked even when they cause an alert. So you need to assign your Pass List in the drop-down for Pass List on the INTERFACE SETTINGS tab and change EXTERNAL_NET back to "default". Save those changes and restart Snort. Since you say you did this on both LAN and WAN, then you need to fix it both places. But you really should just run Snort on your LAN unless you have WAN rules permitting unsolicited inbound traffic for email, web or DNS servers, for example. Running it on the WAN does not do much for security because your firewall will, by default, drop all unsolicited inbound traffic on the WAN anyway. So in that case, Snort is just going to block what your firewall is already blocking, so you have wasted CPU cycles and memory doing a "double block" of traffic.



  • I fixed the pass list on both interfaces. I do have several incoming services, so I need both. When I set Snort up several months ago I followed this KB article which shows them adding the pass list to the external interface. It seems to be working now, thanks for the reply.



  • @harmisist said in Snort ignoring pass lists:

    I fixed the pass list on both interfaces. I do have several incoming services, so I need both. When I set Snort up several months ago I followed this KB article which shows them adding the pass list to the external interface. It seems to be working now, thanks for the reply.

    That should fix it for you, but DO NOT confuse the EXTERNAL_NET variable with the physical external interface (WAN, in your case). They are not the same thing at all. While it is true that most of the !HOME_NET addresses will come into your network via the WAN, that does not mean when you see EXTERNAL_NET to think that only applies to your physical WAN.

    Go read some of those Google tutorials I mentioned in my first post and learn what those two variables really mean within Snort. I don't mean to sound rude or patronizing with this statement, but your first action that caused your initial issue, and then your second reply to my post about the solution, leads me to believe you do not understand how Snort should be configured yet. Reading some of those tutorials will help you grasp the key concepts.