Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata passlist clarification

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 538 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Troutpocket
      last edited by

      Re: About Pass Lists in Suricata

      Pfsense CE 2.5.2-RELEASE (amd64)
      Suricata 6.0.3_3

      My expectation was that IP addresses added in the Firewall/Aliases section could be included in the Pass_List on the interface. Suricata lets me create a passlist with the alias, but never added the contents (IP Addresses) if they were single host. I had to choose the "Network" option in Firewall/Aliases which includes the mask option on the line (11.22.33.44/32) and then it was added to the passlist.

      In the post referrenced, the author states "The IP addresses can be for individual hosts, or entire CIDR blocks". Unfortunately, my experience is that it can only be added with CIDR notation - which can still be a single host, but requires adding as a "Network". I'm not sure if that's by design and not specified in the documentation, or a bug.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Troutpocket
        last edited by

        @troutpocket There's a bug in 6.0.3_3, see https://redmine.pfsense.org/issues/12476. If you click through to the code commit, change file /usr/local/pkg/suricata/suricata.inc

        line 579
        from
        if (empty($vald) || !is_subnet($vald)) {
        to:
        if (empty($vald) || (!is_subnet($vald) && !is_ipaddr($vald))) {

        you can edit a file from the Diagnostics menu.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by

          Yeah, this bug is fixed in the DEVEL snapshot branch. To be honest I was thinking that fixed version had been merged over to RELEASE, but it has not.

          I will ask the Netgate team to merge the new Suricata package over into RELEASE. In the meantime, making the edit suggested by @SteveITS will correct the issue.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.