Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using the same whitelist in pfB and Snort

    pfBlockerNG
    4
    22
    513
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Rebel Alliance @bmeeks
      last edited by

      @bmeeks None of the above 3 alias names in the pass list appear in the log file and I don't see any errors.

      I suppose it would be "more correct" to put the latter two aliases into the Suricata_Trusted_Hosts alias since that was its purpose. I did for one but the other is a Network alias so does not work if I put it inside the Suricata_Trusted_Hosts alias (pfSense doesn't offer it in autocomplete). Which I think is why it was listed separately, IIRC now that I've written this paragraph.

      If I do that, and restart Suricata, then View List still lists "Suricata_Trusted_Hosts" as a string, as above. The VPN IPs are no longer separately listed.

      To be clear this Suricata_Trusted_Hosts is a pfSense firewall alias which contains other aliases and a handful of IPs.

      I'm not aware of hosts in Suricata_Trusted_Hosts being blocked so I assume it's working anyway...?

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @SteveITS
        last edited by

        @SteveITS said in Using the same whitelist in pfB and Snort:

        I'm not aware of hosts in Suricata_Trusted_Hosts being blocked so I assume it's working anyway...?

        That's the bottom line. If the hosts you do not want to get blocked are not getting blocked, then all is good.

        I don't recall specifically testing with nested aliases back when I wrote the new alias functionality into the custom blocking plugin. I was mainly going after FQDNs (fully qualified domain names) at the time.

        But the plugin is not digging into the alias to resolve it. It simply looks in the same pf tables that are listed under DIAGNOSTICS > TABLES. If the alias is there and is populated, then the plugin can test for IP addresses in the alias. If the alias is not listed under DIAGNOSTICS > TABLES, then Suricata is not using it even though it may show up in the View List dialog when viewing a Pass List.

        I built a sort of fail-safe error handling feature into the custom code so that it will silently ignore an alias that is not found during run time. The operating assumption there is the admin might have removed the alias and I didn't want the running Suricata process to abort if that happened.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.