Snort blocks src + dst ips. With whitelist nothing blocked, though alerts logged



  • Hi,

    I got some problems with Snort on 2.0-rc1 snapshot 20.3.11 (i386).

    At the beginning I used snort for my second "wan" interface (not named "wan") and tested it by adding p2p block rules for skype (I know it's quite difficult or nearly impossible to block Skype, but just for a test).

    Snort was configured just for my second WAN, not lan or any other if.

    As soon as a skype client started, snort blocked both the dest. ip of the server skype tried to connect to AND my public ip.
    Then I added my public ip manually to the whitelist and tried again.
    But then, Snort didn't block ANYTHING.

    Afterwards I removed my custom whitelist, disabled Snort on my second WAN and enabled it on my first WAN ('wan') and tried again.

    This time Snort successfully added my public ip to its default whitelist and so didn't block my wan ip.
    BUT it also didn't block any destination ip, although it logged alerts..

    Does anyone have any idea of what I might be doing wrong?

    Thank you very much for some help!



  • Noone have any idea?

    I think it's strange that either snort blocks my public ip PLUS the destination ip (the one I actually want it to block) or it blocks nothing (if my public ip is in the whitelist), ALTHOUGH it logs the corresponding alerts..



  • sorry for the bump, but I still have no solution to this problem.


Log in to reply