Snort blocking pass list

pfsense7515

Hello,

We have pfsense with version 2.4.4-RELEASE (amd64). We setup snort package version 3.2.9.7_2. We activated several rules which generates alerts. We created pass list with many ip addresss to whitelist (not blocking). We associated this pass list to WAN Interface. Problem encounter pass list is not considered. Do you have any idea please ?

Thank You for your help

Regards

bmeeks

@pfsense7515 said in Snort blocking pass list:

Hello,

We have pfsense with version 2.4.4-RELEASE (amd64). We setup snort package version 3.2.9.7_2. We activated several rules which generates alerts. We created pass list with many ip addresss to whitelist (not blocking). We associated this pass list to WAN Interface. Problem encounter pass list is not considered. Do you have any idea please ?

Thank You for your help

Regards

After you assigned the Pass List to the interface, did you restart Snort on that interface? Pass Lists contents are only read once during startup of Snort on an interface.

You also really need to consider updating. How did you even install that version of Snort? It has been out of date for quite some time.

pfsense7515

@bmeeks

Hello thank you for your reply. About your questions

• did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ?

-How did you even install that version of Snort ? We setup integrated packages includes on pfsense

We are aware that it is necessary to update. Do you have any idea other suggestions please ?

Thanks a lot

bmeeks

@pfsense7515 said in Snort blocking pass list:

@bmeeks

Hello thank you for your reply. About your questions

• did you restart Snort on that interface? yes, I tried several times but without success. Do you need to restart services SNORT ?

-How did you even install that version of Snort ? We setup integrated packages includes on pfsense

We are aware that it is necessary to update. Do you have any idea other suggestions please ?

Thanks a lot

No, I have no other suggestions if you have done all of the following:

1. Open the INTERFACE SETTINGS tab for the affected Snort interface and select the desired Pass List by name in the drop-down selector for Pass List assignment.

2. SAVE that change and return to the INTERFACES tab in Snort.

3. Click the icon on the affected interface to restart Snort.

If Snort has already previously blocked a particular IP address, then you must manually remove that block by going to the BLOCKED tab and deleting the address from the list (or just clear all blocks). Snort hands off blocking to pfSense, so restarting Snort or stopping Snort will not unblock a previoulsy blocked IP address. Just pointing that out because some folks think otherwise. Snort is not dynamic. It only reads a Pass List when starting, and it can't "unblock" anything. When a Snort alert triggers, Snort extracts the IP from the triggering packet and sends it to the firewall for blocking. After that, pfSense itself holds the block, not Snort.

You really need to update your firewall. Running out of date software on a critical component such as a network firewall is not wise.