Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not respecting whitelist aliases anymore

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iFloris
      last edited by

      Version: 2.1-BETA0 (i386), built on Thu Oct 4 20:02:38 EDT 2012
      Snort version: 2.9.2.3 pkg v. 2.5.1

      For the past few months, I have been using aliases that are nested in other aliases.
      Mail servers have been collected in one alias, ssh servers as well, 'safe' servers, known hosts and so forth.
      All of these aliases are referenced in one 'whitelist' alias that I used to tell snort not to block these servers.
      It was my impression that this worked well. Snort generates alerts for some of these servers, but they were not blocked.

      Since last week however, snort has started blocking hosts that I have defined in aliases present in the whitelist alias.
      To my knowledge, nothing has changed in respect to these aliases, nor has anything changed in the settings for snort.
      Because snort was blocking essential hosts, I have disabled snort for the time being.

      What am I doing wrong?

      tl;dr: Snort blocks hosts referenced in whitelist aliases

      one layer of information
      removed

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        You need to provide some info.

        The configuration files generated behind and some logs about this.

        1 Reply Last reply Reply Quote 0
        • I
          iFloris
          last edited by

          Thank you Ermal, for the quick response.
          What config files and logs specifically do you need?

          Do you need the specific blocking events logged by snort?
          Or the contents of the Aliases from the config.xml?

          one layer of information
          removed

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.