Snort whitelist not working



  • Last night I changed the DNS over to OpenDNS. One of the snort rules is blocking the opendns servers, so I added them to the whitelist. Unfortunately, it keeps blocking them, even though they are whitelisted. I tried entering in just the ip, and ip/cidr (208.67.222.222/32). Neither works.

    Whitelist functionality is very important… why isn't it working?

    Justin



  • you may have already tried but after you add and address to the white list the snort needs to be  restarted yo may also need to edit the file that starts snort an mentioned earlier in the board

    @korkakak:

    for my version:

    
    # uname -a
    FreeBSD cerberus 7.0-RELEASE-p8 FreeBSD 7.0-RELEASE-p8 #0: Thu Jan  8 22:07:30 EST 2009     sullrich@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense.7  i386
    
    

    pm26862 is right! The syntax of the & together with ; is mistaken and should be corrected.
    the way to correct this issue is two fold;

    First for operetion  where the process is sent to background (via the & operator) you must exclude the end of statement operator (;) and/or change line.

    For instance my config in the critical section looks like that :

    
    /bin/mkdir -p /var/log/snort;/usr/bin/killall snort2c
    sleep 8
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast &
    sleep 8
    snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i dc0 -A fast &
    echo "Sleeping before final memory sampling..."
    sleep 17
    
    

    Each command is on a one liner, hope it helps. Keep in mind that removal of the & operator (send to background) does not allow the script to continue with all its operations until the snort -c directive return from execution (that's why blacklisting works only for the first declared device).

    hope this helps


Log in to reply