Snort will not unblock a whitelisted IP



  • I blocked my VOIP provider on accident with snort. I had 7 day block time set for snort. When I whitelisted the IPs they still remained blocked.  :( Could there be a way to have an unblock icon by the blocked IPs in the list or to get the package to check the whitelisted addresses on save and remove blocked IPs?



  • Thanks James,

    You do a great deal for the pfsense community especially when it comes to packaging snort!

    The IP was listed in /var/db/whitelist

    Another little bug I noticed is with the rules page. The drop down does not seem to work after clicking on a rule URL from the categories page. Not sure if you knew or not. Just an FYI.

    I am running 2.8.4.1_5 pkg v.1.7
    1.2.3-RELEASE



  • I'm running the same version of Snort and my blocked page has the ability to remove a blocked IP.

    Edit:  Actually, under "Installed Packages" it says I have 2.8.4.1_5 pkg ver 1.7.  On the Snort settings page it shows I have 2.8.4.1_5 pkg ver 1.6 . . . so I'm not really sure what version is correct.




  • @g4m3c4ck:

    When I whitelisted the IPs they still remained blocked.

    I had a similar problem, an ip in the whitelist was blocked.

    I had to [Save] the snort configuration (on snort's main page), and remove this ip from the [Blocked] list, then it was ok, the ip was allowed.



  • I have several IPs on my LAN that are being blocked even though I have added the entire subnet (192.168.1.0/24) to the whitelist. If I manually add each IP it looks like it works (so far.) Does the addition of a entire network not function? Will I have to add each and every IP I want whitelisted? FYI: all entries do show up in /var/db/whitelist and I have Snort 2.8.5.3 pkg v. 1.21.



  • @smknjoe:

    I have several IPs on my LAN that are being blocked even though I have added the entire subnet (192.168.1.0/24) to the whitelist. If I manually add each IP it looks like it works (so far.) Does the addition of a entire network not function? Will I have to add each and every IP I want whitelisted? FYI: all entries do show up in /var/db/whitelist and I have Snort 2.8.5.3 pkg v. 1.21.

    Im working on it….

    James



  • Im working on it….

    Awesome, I really appreciate your help.

    1.2.3-RELEASE 
    Snort 2.8.5.3 pkg v. 1.21



  • Well, it looks like it blocks single LAN IPs (192.168.1.2 192.168.1.5) that are whitelisted also. :(

    1.2.3-RELEASE
    Snort 2.8.5.3 pkg v. 1.21



  • It ignores my whitelist too, no matter how many times I save/apply.

    I've tried:
    192.168.1.0/24
    192.168.1.1/32
    192.168.1.1

    pfsense 1.2.3-RELEASE
    Snort 2.8.5.3 pkg v. 1.22



  • After you create a whitelist or modify a whitelist you need to save your settings in the interface edit tab and restart the interface that is using the whitelist.
    Only CIDR blocks and ips are required.

    This will not work 192.168.1.1/32.

    USe only ips 192.168.1.1 or blocks 192.168.1.0/24.

    James



  • Thanks I will try this.

    I noticed that the IP's I submit for my whitelist are nowhere to be found in /usr/local/etc/snort/whitelist/mylist.

    I have to edit the file manually from the shell using VI. If I follow your procedure after I edit the file, then it seems to work.

    The file is rw-rw–-- and user/group is snort/snort.

    -Sean



  • hi all,

    Frist, thanks James for a very very nice tool !!!. Many thanks.

    Second, I'm having the same problem. The whitelist works for individual ips but not for block (x.x.x.x/24 entry). I've checked also the /usr/local/etc/snort/whitelist/mylist and it has the settings entered in the GUI. I have also restarted the snort service after each modify.

    Please help me … because entering each host ip is not an option.

    Thanks a lot !!!



  • sorry … I forgot the used versions...

    snort 2.8.5.3 pkg v. 1.25
    pfsense 1.2.3-RELEASE

    thanks



  • @goremache:

    sorry … I forgot the used versions...

    snort 2.8.5.3 pkg v. 1.25
    pfsense 1.2.3-RELEASE

    thanks

    I have to recode the ips plugin for snort so that cidr blocks can be used again.
    I am really busy with payed projects at the moment and will not be free for a month or so.

    James



  • It's ok …
    ...thanks for the support and looking forward for the new version :)



  • I have an issues with SNORT 2.8.5.3 V. 1.25 Blocking a Public IP just as everyone describes. Even after white listing it and restarting everything. I get an alert that states this (spp_frag3) Framentation overlap SID ID 123:8:1

    This ID is nowhere to be found in any of the categories?

    Please Help.



  • Reading another thread (spp_frag3) is a snort preprocessor error. Not sure how to fix it other than to suggest you turn on all the preprocessors to see if that fixes it.

    As far as whitelisting goes you need to find the offending rule that is blocking the address and create a suppress rule for it in the tab. I "believe" I got it to work by using this syntax.

    suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.225.24

    I tried to get one rule to handle the same sig i.e.

    suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.222.14
    suppress gen_id 1, sig_id 11969, track by_src, ip 216.82.212.10

    Edit: This doesn't work. I will try restarting the router and see if anything changes. It is still blocking a category I have recently unchecked.

    But I was not able to get it to work as above. Haven't had the time to test using a , or ; to separate due to time constraints.


Locked