• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Bug: HOME_NET line being mis-written. Comma at string end.

Scheduled Pinned Locked Moved pfSense Packages
6 Posts 4 Posters 4.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Numbski
    last edited by Jan 24, 2007, 7:25 PM

    In /usr/local/etc/snort.conf, we have a line like so:

    var HOME_NET [CIDR,CIDR,CIDR]

    The problem is that the module writes the line out like this:

    var HOME_NET [CIDR,CIDR,CIDR,]

    I have to keep going in and manually removing the last comma.  It's probably just a loop that appends a comma after each entry.  Any way we can clean that up?

    Also, it appears that snort is somwhat picky, and wants larger network entries towards the beginning, and individual addresses at the end.  I know, it sounds dumb, but for some reason I have to manually sort the list so that /24's go first, /29's, then /32's, otherwise addresses fail to be whitelisted.  I don't get it….

    1 Reply Last reply Reply Quote 0
    • N
      Numbski
      last edited by Jan 24, 2007, 8:27 PM Jan 24, 2007, 8:07 PM

      My mistake.  The whitelist sorting problem occurs in /var/db/whitellist, not in HOME_NET.  Still a problem, just told you the wrong place.  Ooops.

      UPDATE:  Does snort2c even recognize CIDR notation?  Per the web site and man page, it expects just plain old IP's, not IP/mask.  Ruh roh.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by Jan 24, 2007, 8:42 PM

        Hrm.  Please open a bug report at cvstrac.pfsense.com

        Thanks!

        1 Reply Last reply Reply Quote 0
        • W
          wyckedone
          last edited by Jan 24, 2007, 8:55 PM

          @Numbski:

          UPDATE:  Does snort2c even recognize CIDR notation?  Per the web site and man page, it expects just plain old IP's, not IP/mask.  Ruh roh.

          I am using CIDR blocks on my setup.  My Vonage connection stopped working after updating Snort on 1/22/07.  When I checked the firewall logs, it showed Snort was blocking all UDP connections from Vonage IPs.  I added the two Vonage CIDR blocks, pulled from an ARIN search of the IP's, to Snort's whitelist and it starting working again.

          I'm using pfSense snapshot 1-22-2007, if that matters.

          1 Reply Last reply Reply Quote 0
          • P
            PC_Arcade
            last edited by Jan 24, 2007, 10:59 PM

            Is this related? : http://forum.pfsense.org/index.php/topic,3390.0.html

            1 Reply Last reply Reply Quote 0
            • N
              Numbski
              last edited by Jan 28, 2007, 5:35 PM

              Bug opened, but closed.  Thanks for that. :)  Now if only I could figure out why /var/db/whitelist winds up being such a mess for me. :(  It doesn't work right at all unless I manually clean it up after each reboot.  It appears to keep dumping duplicates into the file, and unless I sort network large to small, it's no good.

              That, and I have a network, x.x.x.0/24 for I have in /var/db/whitelist, but snort keeps adding x.x.x.11 to the blocklist.  Unless I put x.x.x.11/32 in there as well, it keeps getting blocked.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received