Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Alert Pass List

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cannondale
      last edited by

      New to pfSense and currently running v2.6.

      I have been reviewing the Snort Alerts and have found several IPs that need to be added to the Pass List.
      The documentation on Pass List indicate that Pass Lists are lists of IP addresses that Snort should never block.
      The Snort Alerts page displays IP's in the Source and Destination columns.
      When adding IPs to the Pass List, is it the Source IPs that will be whitelisted and not the Destination IP?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Cannondale
        last edited by

        @cannondale It depends, which do you trust/never want blocked? :)

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • C
          Cannondale
          last edited by

          I see a particular IP that belongs to my ISP in the Source and Destination Alert columns.
          I believe that the Source IP should be added to the Pass List.
          However, the same IP appears in the Destination column on other Alerts with the description:
          ET DROP Dshield Block Listed Source group 1

          This SID is blocked by Snort.

          Not clear how the Alert Pass List works.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Cannondale
            last edited by

            @cannondale Sounds like you are running Snort on WAN. There, it is outside the firewall so will scan traffic that will be blocked.

            Is the iP your WAN IP? Seems like it has to be for you to see incoming traffic. With Snort on LAN you’ll see the IP of LAN devices.

            A pass list does not block IPs that show on the pass list.

            If you run Snort on WAN and pass your own IP, might as well turn off Snort.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            C 1 Reply Last reply Reply Quote 0
            • C
              Cannondale @SteveITS
              last edited by

              Thanks for the additional information steve! I currently have Snort configured to run on just the WAN interface, which is my ISP.

              Just wanted to clarify your comment "If you run Snort on WAN and pass your own IP, might as well turn off Snort".
              You mean Pass List my ISPs Source IP? Correct?

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @Cannondale
                last edited by

                @cannondale Right, traffic to or from IPs on a pass list will not be blocked.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                C 1 Reply Last reply Reply Quote 0
                • C
                  Cannondale @SteveITS
                  last edited by

                  Thanks for the clarification steve! Given that my Snork installation is new, I would like to review the Alerts and tune the Alerts that Snork has identified that should not be blocked. Is there a guide / video that can help someone new to Snort analyze the Alert log?

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @Cannondale
                    last edited by

                    @cannondale I am sure they are somewhere on the Internet but am not aware of any. But you can read through the pinned posts in https://forum.netgate.com/category/53/ids-ips, notably the Quick Setup thread, and any of bmeeks' posts.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    C 1 Reply Last reply Reply Quote 1
                    • C
                      Cannondale @SteveITS
                      last edited by

                      Thanks steve! I'll check them out!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.