Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Bug: HOME_NET line being mis-written. Comma at string end.

    pfSense Packages
    4
    6
    3824
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Numbski
      last edited by

      In /usr/local/etc/snort.conf, we have a line like so:

      var HOME_NET [CIDR,CIDR,CIDR]

      The problem is that the module writes the line out like this:

      var HOME_NET [CIDR,CIDR,CIDR,]

      I have to keep going in and manually removing the last comma.  It's probably just a loop that appends a comma after each entry.  Any way we can clean that up?

      Also, it appears that snort is somwhat picky, and wants larger network entries towards the beginning, and individual addresses at the end.  I know, it sounds dumb, but for some reason I have to manually sort the list so that /24's go first, /29's, then /32's, otherwise addresses fail to be whitelisted.  I don't get it….

      1 Reply Last reply Reply Quote 0
      • N
        Numbski
        last edited by

        My mistake.  The whitelist sorting problem occurs in /var/db/whitellist, not in HOME_NET.  Still a problem, just told you the wrong place.  Ooops.

        UPDATE:  Does snort2c even recognize CIDR notation?  Per the web site and man page, it expects just plain old IP's, not IP/mask.  Ruh roh.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          Hrm.  Please open a bug report at cvstrac.pfsense.com

          Thanks!

          1 Reply Last reply Reply Quote 0
          • W
            wyckedone
            last edited by

            @Numbski:

            UPDATE:  Does snort2c even recognize CIDR notation?  Per the web site and man page, it expects just plain old IP's, not IP/mask.  Ruh roh.

            I am using CIDR blocks on my setup.  My Vonage connection stopped working after updating Snort on 1/22/07.  When I checked the firewall logs, it showed Snort was blocking all UDP connections from Vonage IPs.  I added the two Vonage CIDR blocks, pulled from an ARIN search of the IP's, to Snort's whitelist and it starting working again.

            I'm using pfSense snapshot 1-22-2007, if that matters.

            1 Reply Last reply Reply Quote 0
            • P
              PC_Arcade
              last edited by

              Is this related? : http://forum.pfsense.org/index.php/topic,3390.0.html

              1 Reply Last reply Reply Quote 0
              • N
                Numbski
                last edited by

                Bug opened, but closed.  Thanks for that. :)  Now if only I could figure out why /var/db/whitelist winds up being such a mess for me. :(  It doesn't work right at all unless I manually clean it up after each reboot.  It appears to keep dumping duplicates into the file, and unless I sort network large to small, it's no good.

                That, and I have a network, x.x.x.0/24 for I have in /var/db/whitelist, but snort keeps adding x.x.x.11 to the blocklist.  Unless I put x.x.x.11/32 in there as well, it keeps getting blocked.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post