Snort ignores the netlist



  • Hi,
    I have a new 2.01 version of pfSense where I installed the snort package version 2.9.1
    I defined the netlist with all the IP pools I have (about 10 pools of 32-128 IPs) which I don't need to be filtered or monitored.
    It seems that no matter what I do - snort keeps blocking some of the IPs from this list.
    Now I understand that I have to put the subnets into the netlist and not the whitelist, since it doesn't work with CIDR.
    After configuring the netlist I selected it on the interface page, plus I also have a whitelist of a few single IPs that I also selected in the appropriate place.
    I stopped/started the snort interface after saving the changes, and just to be sure - I also tried restarting the whole snort service from the services page.

    The IPs that get blocked within a few seconds are from one of the subnets/interfaces of the firewall itself.
    That is, the snort interface is configured to WAN, and the hosts that get blocked are on the OPT1 interface that are trying to contact the OPT2 interface subnet. I also tried making the additional snort interface with OPT1, but to no success - the symptoms are the same.

    Of course, I can't and shouldn't manually enter every single IP into the whitelist - it's absurd (there are more than 300 of them).
    What can be the problem? How can I tell snort to ignore the pools from the netlist?



  • I see where to create a WHITELIST under Snort.  But where do you create a NETLIST?  I'd like to be able to add CIDRs.  Thanks.



  • @miles267:

    I see where to create a WHITELIST under Snort.  But where do you create a NETLIST?  I'd like to be able to add CIDRs.  Thanks.

    Click Whitelist

    In Whitelist at the bottom:

    For WHITELIST's enter ONLY IPs not CIDRs. Example: 192.168.4.1

    For NETLIST's you may enter IPs and CIDRs. Example: 192.168.4.1 or 192.168.4.0/24



  • OK - I see.  So if you enter a CIDR into the dialog box then it IS a NETLISH.  whereas a single IP represents a WHITELIST only.


Locked