SNORT Whitelisting issues with IP addresses blocked that are in passlist
-
Hello Netgate Community,
I am having a issue with Snort can anyone help?
I keep having snort block items that are whitelisted for Disney Plus. I have added in all the URLs and addresses that are accessed when this application is running, however over time the IP addresses are blocked anyway. Can anyone help?
(Image: Alias created for Xbox)
(Image: Alias is added for Passlist in snort)
(Image: Pass list set on interface)
Over time the IP addresses are blocked anyway that are listed in the whitelisting pass list. Does this have issues with static assigned addresses and hardware MAC addresses that are accessing the address from the internal? I only have snort set up for the WAN interface.
Am I missing a setting? I have even added the IP address directly it will still block it after some time for Disney Plus and others.
-
You are likely hitting the limitation caused by the widespread use of CDNs and anycast DNS with super short TTL values. FQDN aliases are resolved by default every 5 minutes. It is possible that the IP changes more often than that, though. So at some given instant when Snort asks pfSense whether the IP address from a given packet is in the whitelist, it could be the resolved IP has now changed, but your in-progress session is still using the old IP. That would result in a block if packets in your current session are coming from source 1.2.3.4, but when pfSense queries the domain 5 minutes later, due to the way load balancing is done around the world with large CDNs, the new IP might come back as 5.6.7.8.
The second problem is that unless your clients are all using pfSense for their DNS, a client could easily be given an IP for a CDN domain that is different from the one given to pfSense when it queried for an IP for that same domain.
But you have a much bigger problem than that in your configuration. It is totally wrong. You never want to put the exact same values in HOME_NET, EXTERNAL_NET and the Pass List boxes! Change HOME_NET and EXTERNAL_NET back to "default". You need to go read up some more on how an IDS/IPS works and what the HOME_NET and EXTERNAL_NET variables are all about and how they work. Your configuration is not all correct.
-
@bmeeks interesting
, is there a way to set some alias to have quicker DNS checks ? Steaming use options ? seems off. -
@jonathanlee said in SNORT Whitelisting issues with IP addresses blocked that are in passlist:
@bmeeks is there a way to set some to have quicker DNS checks ? Steaming use options ? seems off.
There is an option somewhere under SYSTEM > ADVANCED SETTINGS to increase the frequency at which
filterdnsresolves FQDN aliases, but that still may not help. CDNs are always going to serve up a multitude of IP addresses for a given domain, and those IP addresses are likely going to be served up with short TTL values. Some of it is to keep the entire system resilient, but I suspect at least some of it is to keep your clients constantly doing DNS lookups to increase traffic to generate more data that the companies can then resell for money. Perhaps that is just a cynical view, though
.You would be better served by looking at what rules are being triggered by your streaming traffic. Odds are they are either false positives, or you have enabled some of the "info" rules which are not actually made to be used for blocking. They just provide "information" about certain traffic flows. Unfortunately, when using Legacy Mode Blocking (which I assume you are using since you have a Pass List defined and in use), you can't differentiate between rule actions. In Legacy Mode, when blocking is enabled, any alert results in a block unless the Pass List check passes.
-
Thanks for the reply,
I found the setting thank you. The timer is now to 2 mins. Disney is running fine now.
I also set the external net and internal back to default.
(Image: Changed FQDN DNS lookup to 2 mins for testing)
(Image: Removed Alias and set to default for IPS/IDS Snort External Net, and Home Net)
-
This fine tuned it. The issue was with SQUID and SSL use. I needed to just add in the aliasis inside of squid's general setting to pass the traffic to the firewall and not proxy it for Disney plus. It fixed it, no more random issues, and I still have the proxy for the desktop and laptops.
