Snort Blocking Host No Matter What



  • I am trying to whitelist fantech.net (ip adddress 217.114.90.213).

    I have added it to the pass list, I have tried to suppress and force disable the rule in the alerts section.

    I restart snort and it let's me visit one page on fantech.net, and then it's blocked again.

    0_1549651969243_8202d0b1-c868-4f89-bd7d-8ee5c3e0f2b8-image.png

    |||

    0_1549652025269_dec26be1-407c-414d-871a-56e99f78dc45-image.png

    |

    0_1549652328691_19dbe071-6927-49a3-a8a9-4bceffbee2bc-image.png



  • @davetheriault
    Are you clearing the initial block first by going to the BLOCKED tab and removing that IP address? Snort hands off blocking to the pfSense firewall itself. Simply restarting Snort will not remove an existing block. You must manually clear an existing block (or reboot the firewall).



  • Ya. I've tried 'removing' the individual entry in Blocked Hosts. And I have also tried the 'Clear - All blocked hosts will be removed' option each time I try to fix the issue.
    After I clear it from the Blocked Hosts table, I am able to visit the host with one successful page load, but it immediately get's re-added to the Blocked Hosts table by snort, and I can't continue or reload the page from that host, no matter what rules I have suppressed or pass lists I have created.



  • @davetheriault said in Snort Blocking Host No Matter What:

    Ya. I've tried 'removing' the individual entry in Blocked Hosts. And I have also tried the 'Clear - All blocked hosts will be removed' option each time I try to fix the issue.
    After I clear it from the Blocked Hosts table, I am able to visit the host with one successful page load, but it immediately get's re-added to the Blocked Hosts table by snort, and I can't continue or reload the page from that host, no matter what rules I have suppressed or pass lists I have created.

    I know of only two ways what you describe can physically happen.

    1. You are disabling the wrong rule (i.e., you are not disabling the rule that is actually firing) or else multiple rules are firing and you still haven't found them all;

    2. There is another duplicate Snort process running on the interface that is not responding to your rule changes. That can happen in rare circumstances. To see, run this command from a shell prompt on the firewall:

    ps -ax |grep snort
    

    You should see only a single Snort process listed for each configured interface. If you see more than one per interface, stop Snort in the GUI and then kill any remaining Snort processes from the command line shell.

    As for the Pass List "Snort_Pass_List" shown in your screen capture, do you have that list assigned to the Snort interface on the INTERFACE SETTINGS tab? There is a drop-down selector on that tab where you select the Pass List you want to use for the interface. Make sure "Snort_Pass_List" is selected, save the change, and then restart Snort on the interface. Using a custom Pass List is a two step process: (1) first create the list; and then (2) go to the INTERFACES SETTINGS tab and assign the list to the desired Snort interface.