Snort Alert Pass List
-
New to pfSense and currently running v2.6.
I have been reviewing the Snort Alerts and have found several IPs that need to be added to the Pass List.
The documentation on Pass List indicate that Pass Lists are lists of IP addresses that Snort should never block.
The Snort Alerts page displays IP's in the Source and Destination columns.
When adding IPs to the Pass List, is it the Source IPs that will be whitelisted and not the Destination IP? -
@cannondale It depends, which do you trust/never want blocked? :)
-
I see a particular IP that belongs to my ISP in the Source and Destination Alert columns.
I believe that the Source IP should be added to the Pass List.
However, the same IP appears in the Destination column on other Alerts with the description:
ET DROP Dshield Block Listed Source group 1This SID is blocked by Snort.
Not clear how the Alert Pass List works.
-
@cannondale Sounds like you are running Snort on WAN. There, it is outside the firewall so will scan traffic that will be blocked.
Is the iP your WAN IP? Seems like it has to be for you to see incoming traffic. With Snort on LAN you’ll see the IP of LAN devices.
A pass list does not block IPs that show on the pass list.
If you run Snort on WAN and pass your own IP, might as well turn off Snort.
-
Thanks for the additional information steve! I currently have Snort configured to run on just the WAN interface, which is my ISP.
Just wanted to clarify your comment "If you run Snort on WAN and pass your own IP, might as well turn off Snort".
You mean Pass List my ISPs Source IP? Correct? -
@cannondale Right, traffic to or from IPs on a pass list will not be blocked.
-
Thanks for the clarification steve! Given that my Snork installation is new, I would like to review the Alerts and tune the Alerts that Snork has identified that should not be blocked. Is there a guide / video that can help someone new to Snort analyze the Alert log?
-
@cannondale I am sure they are somewhere on the Internet but am not aware of any. But you can read through the pinned posts in https://forum.netgate.com/category/53/ids-ips, notably the Quick Setup thread, and any of bmeeks' posts.
-
Thanks steve! I'll check them out!