Whitelists not working on latest snort (2.8.6 pkg v. 1.33) for 1.2.3-RC3



  • After totally destroying my snort installation to install the newer version (2.8.6) from packages, I finally got the whitelist php GUI working, but the actual whitelist itself does not seem to be working. I have an IP in there I have to keep un-blocking (or simply turn off snort) that's in the whitelist yet still being blocked. There are a lot of IPs in there and NONE of them are being ignored, even after re-creating the whitelist. I properly set it to use "MyWhitelist" instead of default. What can I do to start troubleshooting this issue? Is there a way to see what whitelist snort is using while it's running?

    Looking in the snort.conf for my particular adapter, the only line I see referencing the whitelist is this:

    "output alert_pf: /usr/local/etc/snort/whitelist/MyWhitelist,snort2c"

    And nothing in the rc.d snort.sh file.

    snort: 2.8.6 pkg v. 1.27
    pfSense: 1.2.3-RC3

    Edit: Added that none of the IPs in the whitelist are being ignored, even after re-creating it.



  • This problem (Whitelist being ignored) still occurs after a fresh installation of Snort Package v1.33 (2.8.6).

    Additionally, now my Snort GUI is anchored incorrectly. This is after I seemingly deleted all traces of Snort.



  • Thank you very much! Great to see progress being made on this issue. Don't forget about my one-line suggestion for snort.inc in http://forum.pfsense.org/index.php/topic,26324.msg136986.html#msg136986 for when you get a different return than expected from the gateways. One extra replace shouldn't hurt.

    I will upgrade to release (stable) as soon as a package is ready with the fix in ready for testing.



  • Fixed it. Sorry about that.

    James



  • Awesome Jamesdean - Looking forward to the release - Keep up the good work =)



  • THre

    Please do a cat on /usr/local/etc/snort/whitelist/MyWhitelist post output.

    cat /usr/local/etc/snort/whitelist/MyWhitelist

    James


Log in to reply