Snort 2.8.5.3 pkg v. 1.21 whitelist problems



  • James,

    I am now running  pfsense: 1.2.3-RELEASE    and Snort 2.8.5.3 pkg v. 1.21

    The whitelist do not seems to be working, also the CIDR notation also.

    The snort keep blocking the IP that I whitelist, could you please check.

    Regards,

    Davec



  • Running into the same problem here, is there anything that can be done?  I can't turn on my blocking without this…



  • Dear jaysonr,

    So far, there are the 2 issues i noticed.

    In the old Snort, you can just place an ipaddress such as 123.123.123.123. Now we need to insert something like 123.123.123.123/30. Correct me if i am wrong.

    Also in the Categories, quite a number of Categories has issues,

    Not success with these rules to enable Snort
    emerging-dos.rules
    emerging-drop.rules
    emerging-malware.rules
    emerging-virus.rules

    Success with these rules to enable Snort
    emerging-rbn.rules
    emerging-tor.rules
    snort_ddos.rules
    snort_dns.rules
    snort_dos.rules
    snort_experimental.rules
    snort_exploit.rules
    snort_exploit.so.rules
    snort_mysql.rules
    snort_pop2.rules
    snort_sql.rules
    snort_sql.so.rules

    Davc



  • I've been using the CIDR notation, even tried with & without, seems to basically just ignore what I put in the whitelist.

    I'm going to try to edit the Threshold file to ignore my IP:

    suppress gen_id 0, sig_id 0, track by_src, ip {my_ip}

    I'll post my results

    EDIT:
    Checked the logs today, looks like that made the difference.  I can turn back on my blocking now!


Log in to reply