Snort 1.0.1 bug?
-
After upgrading to 1.0.1, I noticed that IP's that are in my whitelist are now showing up in the blocked tab when they produce an alert. Is that the way it was intended to work?
-
No, but there was no code changes from 1.0 to 1.0.1 in this regard.
Do the ip's that you have defined show up in /var/db/whitelists ?
-
I get a file not found when I try to load that file through edit file.
-
I get a file not found when I try to load that file through edit file.
Sorry, it's /var/db/whitelist
-
Yep, they are there. Oddly enough, so are the ones I removed awhile back. The ones I removed previously before upgrade are just at the beginning of the list.
-
I believe snort is causing the rrd graph issue I also reported. I added the gateway for the WAN interface to the whitelist, since snort was blocking the ping. It has not resolved the rrd graph issue and snort is still blocking it. I even tried removing the IP from the blocked tab and it was inserted back into the blocked list a minute afterwards.
-
Something else I noticed in the log. I assume its new since I haven't seen it before.
Oct 30 02:12:45 SnortStartup[1290]: Ram free BEFORE starting Snort: 16M – Ram free AFTER starting Snort: 286M -- Mode lowmem -- Snort memory usage: 133M
That line though is incorrect. Ram usage before I started snort was only at 11% (out of 512mb). Also, I am not running in lowmem mode, I am running in sparsebands.
-
Scott was already working on this yesterday:
http://cvstrac.pfsense.com/chngview?cn=15171
http://cvstrac.pfsense.com/chngview?cn=15172Not sure if that already fixed it, haven't tested it yet. Reinstall the package and let us know ;)
-
Looks like it fixed it.