3. Snort not respecting whitelist aliases anymore

Snort not respecting whitelist aliases anymore

  • I

    Version: 2.1-BETA0 (i386), built on Thu Oct 4 20:02:38 EDT 2012
    Snort version: 2.9.2.3 pkg v. 2.5.1

    For the past few months, I have been using aliases that are nested in other aliases.
    Mail servers have been collected in one alias, ssh servers as well, 'safe' servers, known hosts and so forth.
    All of these aliases are referenced in one 'whitelist' alias that I used to tell snort not to block these servers.
    It was my impression that this worked well. Snort generates alerts for some of these servers, but they were not blocked.

    Since last week however, snort has started blocking hosts that I have defined in aliases present in the whitelist alias.
    To my knowledge, nothing has changed in respect to these aliases, nor has anything changed in the settings for snort.
    Because snort was blocking essential hosts, I have disabled snort for the time being.

    What am I doing wrong?

    tl;dr: Snort blocks hosts referenced in whitelist aliases

    0
  • E

    You need to provide some info.

    The configuration files generated behind and some logs about this.

    0
  • I

    Thank you Ermal, for the quick response.
    What config files and logs specifically do you need?

    Do you need the specific blocking events logged by snort?
    Or the contents of the Aliases from the config.xml?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy