Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Whitelisting in CIDR notation not working

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sicnarf
      last edited by

      Hi All,

      white listing in CIDR notation does not work in Snort. Snort version currently being used is Snort 2.8.4.1 pkg v. 1.5. Even in the previous versions, it doesn't work. I was hoping this new version would it get fixed but no luck so far. Whitelisting only works on single IPs. Any workarounds for this?

      pfsense 1.2.2 and Snort 2.8.4.1 pkg v. 1.5

      Sicnarf

      1 Reply Last reply Reply Quote 0
      • J Offline
        jamesdean
        last edited by

        CIDR notation is supported in the snort package. Moreover, pfctl also supports CIDR notation.
        The format that the snort package and pfctl does not support is 1.2.3.4/24 - 2.1.3.4/24.

        This is the format that snort package supports.

        1.2.3.4
        5.6.7.8
        11.22.33.0/24

        James

        1 Reply Last reply Reply Quote 0
        • S Offline
          sicnarf
          last edited by

          Hi jamesdean,

          I'm trying to exclude all hosts within the ip range 192.168.0.0/16 so that all hosts from our private nets do not get blocked. Clearing blocked hosts on the local subnet from the blocked list is quite a tedious task. From what you have posted, this seems not possible. Also, I'm trying not to block our publicly-accessible hosts on a /26 block. Entering it as say 58.71.35.192/26 also does not work. I think it's also not possible based on your post.

          If this is not possible, what can you suggest that I do so that I can exclude these hosts from being blocked?

          1 Reply Last reply Reply Quote 0
          • J Offline
            jamesdean
            last edited by

            sicnarf

            192.168.0.0/16 should work if you add that CIDR to the Whitelist Tab. Whitelist tab works with the /var/db/whitelist file so make sure 192.168.0.0/16 gets add their. If it does get added to said file and blocks still occur please post a message here on the forums.

            You can also add 192.168.0.0/16 to /usr/local/etc/snort/snort.conf file.

            So it would look like this.

            var HOME_NET [192.168.0.0/16,192.168.1.0/24,192.168.2.0/24,127.0.0.1].

            Remember every time you restart snort you will lose the changes to snort.conf.

            I'm going to add code this weekend for white listing to snort.conf.

            james

            1 Reply Last reply Reply Quote 0
            • S Offline
              sicnarf
              last edited by

              Hi james,

              Will try it out once I get snort re-installed on the boxes. I removed them when I had the automatic block problems coz it blocked almost everybody out. Will give you feedback once I get it to work on it.

              sicnarf

              1 Reply Last reply Reply Quote 0
              • S Offline
                sicnarf
                last edited by

                Hi james,

                From my tests last night, it still was blocking hosts on the white list tab. I tried your suggestions and it still did block them. What do you need from me so that we can troubleshoot this problem effectively? The address range goes into the /var/db/whitelist file.

                One thing I noticed was that snort also automatically adds the local networks of the interfaces (/24s). This was kind of weird since I think this was the previous configuration that I had and it's still loading them even if what's left in the white list tab is the /16 and the /26 networks. Does snort have some sort of storage area for previous configuration and loads configuration from this file? Just thought this might help but I guess this is another story.

                sicnarf = francis :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.