Snort pkg v. 2.5.1 blocks certain white listed IPs

  • We have created a white list alias and use that alias as the HOME NET (External net is left as DEFAULT). Most of the time, this works fine however our external NATTED IPs still get put in Snort's block list even though they are in the white list.

    To give more detail, we do lots of security scans from a server in our LAN to the Internet via the firewall / Snort. This raises Snort alerts (as I would expect), however Snort puts the external Natted IP of the scanning server in the block list even though this IP is in the Snort white list alias.

    Any ideas? :-)

  • Are you running 32-bit or 64-bit?

  • 32 bit :-)

  • My 32-bit is failing to load mbstring functions which is having all sorts of consequences for SNORT, mainly in whitelists. Another user has posted a PHPinfo report which shows successful loading of mbstring on an i386 box which casts doubts in my mind as to the completeness of my installation. It was an 'in-place' upgrade from the 1.2.3 console and I'm going to see if I have enough spare NIC's to build another machine from scratch using a fresh CD.

  • Thanks!  I was just wondering if I was supposed to put something in the EXTERNAL NET? Maybe snort doesnt like "external IPs" in the HOME NET?

    Let me know what you fin!

  • vbentley,

    you could also consider building a virtual machine (e.g. with VirtualBox) with 2 bridged NICs. The benefit is that you can take snapshots and go back to a working config anytime you want/need to.

  • That's a good idea. I haven't tried VirtualBox yet, will try it soon.

  • If your desktop computer is a Windows machine, either use the cygwin environment or at least putty to communicate with the server (ssh enabled). Working with the console is a pain in the neck as VB extensions are not supported. Since you are evaluating Snort, you should also enable promiscuous mode for the NICs. If the virtual machine is entirely in your LAN you need some extra rules for the firewall, but you'll find out…

  • @Fesoj:

    If your desktop computer is a Windows machine…

    I migrated off Windows in 2009. I've been using mostly Ubuntu since then. Virtualbox is running nicely on my laptop, I'm starting to get familiar with it now.

  • Just wondering if anyone has any news about the initial issue?  I still cannot stop Snort from blocking our NATTED external IPs even when they are in the whitelist :-(

  • It's weird with my install for a while say for about 3 hours it will keep blocking any ports like for example my phones network is accepted as a whitelist. But if I was to remove it from the whitelist it would take 3 hours for it to be accepted when I start seeing loads of alerts in the logs for my phones network (of which I suppress for my works IP address).

    If this is any good to anyone how long have you tested it for? I mean even if I am to restart my router it's very odd (my router being what pfsense is of course) it still manages to block those whitelisted IPs.

    Be interesting that how long someone would test it after they have whitelisted an ip address it's rather odd to me to be honest.

  • I am getting blocked hosts that are in the $HOME_NET

    After a fresh install:
    2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:16:13 EST 2011
    FreeBSD 8.1-RELEASE-p6

    …and only installing:
    arping 2.09.1
    snort pkg v. 2.5.1

    Global settings:
      checked Install Basic Rules
      checked Install Emergingthreats rules

    Snort: Interface Edit: WAN
    Selected all defaults, checked block offenders, and the src for IP to block

    I selected all, and turned snort on

  • Sorry for the delay. We have the same issue and it is causing us major problems.

    We have an internal server that scans web sites known as a security risk so we generate alot of Snort alerts. However, our internal LAN servers are getting blocked by Snort on the virtual IP (IP the server has on the Internet).

    We have put the virtual IP range in the white list and we have set the "Add Virtual IP Addresses to the list" option on. Yet still our virtual IPs get blocked by snort (they appear in the Snort blocked list).

    What can be done to fix this?

    Any help would be much appreciated!!

Log in to reply