Snort not respecting whitelist aliases anymore

  • Version: 2.1-BETA0 (i386), built on Thu Oct 4 20:02:38 EDT 2012
    Snort version: pkg v. 2.5.1

    For the past few months, I have been using aliases that are nested in other aliases.
    Mail servers have been collected in one alias, ssh servers as well, 'safe' servers, known hosts and so forth.
    All of these aliases are referenced in one 'whitelist' alias that I used to tell snort not to block these servers.
    It was my impression that this worked well. Snort generates alerts for some of these servers, but they were not blocked.

    Since last week however, snort has started blocking hosts that I have defined in aliases present in the whitelist alias.
    To my knowledge, nothing has changed in respect to these aliases, nor has anything changed in the settings for snort.
    Because snort was blocking essential hosts, I have disabled snort for the time being.

    What am I doing wrong?

    tl;dr: Snort blocks hosts referenced in whitelist aliases

  • You need to provide some info.

    The configuration files generated behind and some logs about this.

  • Thank you Ermal, for the quick response.
    What config files and logs specifically do you need?

    Do you need the specific blocking events logged by snort?
    Or the contents of the Aliases from the config.xml?

Log in to reply