Whitelists not working on latest snort (2.8.6 pkg v. 1.33) for 1.2.3-RC3
-
After totally destroying my snort installation to install the newer version (2.8.6) from packages, I finally got the whitelist php GUI working, but the actual whitelist itself does not seem to be working. I have an IP in there I have to keep un-blocking (or simply turn off snort) that's in the whitelist yet still being blocked. There are a lot of IPs in there and NONE of them are being ignored, even after re-creating the whitelist. I properly set it to use "MyWhitelist" instead of default. What can I do to start troubleshooting this issue? Is there a way to see what whitelist snort is using while it's running?
Looking in the snort.conf for my particular adapter, the only line I see referencing the whitelist is this:
"output alert_pf: /usr/local/etc/snort/whitelist/MyWhitelist,snort2c"
And nothing in the rc.d snort.sh file.
snort: 2.8.6 pkg v. 1.27
pfSense: 1.2.3-RC3Edit: Added that none of the IPs in the whitelist are being ignored, even after re-creating it.
-
This problem (Whitelist being ignored) still occurs after a fresh installation of Snort Package v1.33 (2.8.6).
Additionally, now my Snort GUI is anchored incorrectly. This is after I seemingly deleted all traces of Snort.
-
Thank you very much! Great to see progress being made on this issue. Don't forget about my one-line suggestion for snort.inc in http://forum.pfsense.org/index.php/topic,26324.msg136986.html#msg136986 for when you get a different return than expected from the gateways. One extra replace shouldn't hurt.
I will upgrade to release (stable) as soon as a package is ready with the fix in ready for testing.
-
Fixed it. Sorry about that.
James
-
Awesome Jamesdean - Looking forward to the release - Keep up the good work =)
-
THre
Please do a cat on /usr/local/etc/snort/whitelist/MyWhitelist post output.
cat /usr/local/etc/snort/whitelist/MyWhitelist
James