Snort Whitelisting in CIDR notation not working

sicnarf

Hi All,

white listing in CIDR notation does not work in Snort. Snort version currently being used is Snort 2.8.4.1 pkg v. 1.5. Even in the previous versions, it doesn't work. I was hoping this new version would it get fixed but no luck so far. Whitelisting only works on single IPs. Any workarounds for this?

pfsense 1.2.2 and Snort 2.8.4.1 pkg v. 1.5

Sicnarf

jamesdean

CIDR notation is supported in the snort package. Moreover, pfctl also supports CIDR notation.
The format that the snort package and pfctl does not support is 1.2.3.4/24 - 2.1.3.4/24.

This is the format that snort package supports.

1.2.3.4
5.6.7.8
11.22.33.0/24

James

sicnarf

Hi jamesdean,

I'm trying to exclude all hosts within the ip range 192.168.0.0/16 so that all hosts from our private nets do not get blocked. Clearing blocked hosts on the local subnet from the blocked list is quite a tedious task. From what you have posted, this seems not possible. Also, I'm trying not to block our publicly-accessible hosts on a /26 block. Entering it as say 58.71.35.192/26 also does not work. I think it's also not possible based on your post.

If this is not possible, what can you suggest that I do so that I can exclude these hosts from being blocked?

jamesdean

sicnarf

192.168.0.0/16 should work if you add that CIDR to the Whitelist Tab. Whitelist tab works with the /var/db/whitelist file so make sure 192.168.0.0/16 gets add their. If it does get added to said file and blocks still occur please post a message here on the forums.

You can also add 192.168.0.0/16 to /usr/local/etc/snort/snort.conf file.

So it would look like this.

var HOME_NET [192.168.0.0/16,192.168.1.0/24,192.168.2.0/24,127.0.0.1].

Remember every time you restart snort you will lose the changes to snort.conf.

I'm going to add code this weekend for white listing to snort.conf.

james

sicnarf

Hi james,

Will try it out once I get snort re-installed on the boxes. I removed them when I had the automatic block problems coz it blocked almost everybody out. Will give you feedback once I get it to work on it.

sicnarf

sicnarf

Hi james,

From my tests last night, it still was blocking hosts on the white list tab. I tried your suggestions and it still did block them. What do you need from me so that we can troubleshoot this problem effectively? The address range goes into the /var/db/whitelist file.

One thing I noticed was that snort also automatically adds the local networks of the interfaces (/24s). This was kind of weird since I think this was the previous configuration that I had and it's still loading them even if what's left in the white list tab is the /16 and the /26 networks. Does snort have some sort of storage area for previous configuration and loads configuration from this file? Just thought this might help but I guess this is another story.

sicnarf = francis :)