Snort Bug: HOME_NET line being mis-written. Comma at string end.
-
In /usr/local/etc/snort.conf, we have a line like so:
var HOME_NET [CIDR,CIDR,CIDR]
The problem is that the module writes the line out like this:
var HOME_NET [CIDR,CIDR,CIDR,]
I have to keep going in and manually removing the last comma. It's probably just a loop that appends a comma after each entry. Any way we can clean that up?
Also, it appears that snort is somwhat picky, and wants larger network entries towards the beginning, and individual addresses at the end. I know, it sounds dumb, but for some reason I have to manually sort the list so that /24's go first, /29's, then /32's, otherwise addresses fail to be whitelisted. I don't get it….
-
My mistake. The whitelist sorting problem occurs in /var/db/whitellist, not in HOME_NET. Still a problem, just told you the wrong place. Ooops.
UPDATE: Does snort2c even recognize CIDR notation? Per the web site and man page, it expects just plain old IP's, not IP/mask. Ruh roh.
-
Hrm. Please open a bug report at cvstrac.pfsense.com
Thanks!
-
UPDATE: Does snort2c even recognize CIDR notation? Per the web site and man page, it expects just plain old IP's, not IP/mask. Ruh roh.
I am using CIDR blocks on my setup. My Vonage connection stopped working after updating Snort on 1/22/07. When I checked the firewall logs, it showed Snort was blocking all UDP connections from Vonage IPs. I added the two Vonage CIDR blocks, pulled from an ARIN search of the IP's, to Snort's whitelist and it starting working again.
I'm using pfSense snapshot 1-22-2007, if that matters.
-
Is this related? : http://forum.pfsense.org/index.php/topic,3390.0.html
-
Bug opened, but closed. Thanks for that. :) Now if only I could figure out why /var/db/whitelist winds up being such a mess for me. :( It doesn't work right at all unless I manually clean it up after each reboot. It appears to keep dumping duplicates into the file, and unless I sort network large to small, it's no good.
That, and I have a network, x.x.x.0/24 for I have in /var/db/whitelist, but snort keeps adding x.x.x.11 to the blocklist. Unless I put x.x.x.11/32 in there as well, it keeps getting blocked.