• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort blocking pass list

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 2 Posters 691 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pfsense7515
    last edited by Jan 21, 2021, 8:41 AM

    Hello,

    We have pfsense with version 2.4.4-RELEASE (amd64). We setup snort package version 3.2.9.7_2. We activated several rules which generates alerts. We created pass list with many ip addresss to whitelist (not blocking). We associated this pass list to WAN Interface. Problem encounter pass list is not considered. Do you have any idea please ?

    Thank You for your help

    Regards

    B 1 Reply Last reply Jan 21, 2021, 4:20 PM Reply Quote 0
    • B
      bmeeks @pfsense7515
      last edited by Jan 21, 2021, 4:20 PM

      @pfsense7515 said in Snort blocking pass list:

      Hello,

      We have pfsense with version 2.4.4-RELEASE (amd64). We setup snort package version 3.2.9.7_2. We activated several rules which generates alerts. We created pass list with many ip addresss to whitelist (not blocking). We associated this pass list to WAN Interface. Problem encounter pass list is not considered. Do you have any idea please ?

      Thank You for your help

      Regards

      After you assigned the Pass List to the interface, did you restart Snort on that interface? Pass Lists contents are only read once during startup of Snort on an interface.

      You also really need to consider updating. How did you even install that version of Snort? It has been out of date for quite some time.

      P 1 Reply Last reply Jan 26, 2021, 9:32 AM Reply Quote 0
      • P
        pfsense7515 @bmeeks
        last edited by Jan 26, 2021, 9:32 AM

        @bmeeks

        Hello thank you for your reply. About your questions

        • did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ?

        -How did you even install that version of Snort ? We setup integrated packages includes on pfsense

        We are aware that it is necessary to update. Do you have any idea other suggestions please ?

        Thanks a lot

        B 1 Reply Last reply Jan 26, 2021, 1:24 PM Reply Quote 0
        • B
          bmeeks @pfsense7515
          last edited by bmeeks Jan 26, 2021, 1:24 PM Jan 26, 2021, 1:24 PM

          @pfsense7515 said in Snort blocking pass list:

          @bmeeks

          Hello thank you for your reply. About your questions

          • did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ?

          -How did you even install that version of Snort ? We setup integrated packages includes on pfsense

          We are aware that it is necessary to update. Do you have any idea other suggestions please ?

          Thanks a lot

          No, I have no other suggestions if you have done all of the following:

          1. Open the INTERFACE SETTINGS tab for the affected Snort interface and select the desired Pass List by name in the drop-down selector for Pass List assignment.

          2. SAVE that change and return to the INTERFACES tab in Snort.

          3. Click the icon on the affected interface to restart Snort.

          If Snort has already previously blocked a particular IP address, then you must manually remove that block by going to the BLOCKED tab and deleting the address from the list (or just clear all blocks). Snort hands off blocking to pfSense, so restarting Snort or stopping Snort will not unblock a previoulsy blocked IP address. Just pointing that out because some folks think otherwise. Snort is not dynamic. It only reads a Pass List when starting, and it can't "unblock" anything. When a Snort alert triggers, Snort extracts the IP from the triggering packet and sends it to the firewall for blocking. After that, pfSense itself holds the block, not Snort.

          You really need to update your firewall. Running out of date software on a critical component such as a network firewall is not wise.

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received