Snort Preprocessors block IPs from HOME_NET



  • Hi there,

    I hope to get any replys to this post. I configured PfSense 2.0.1 Snort 2.9.2.3 pkg v. 2.5.1 very often now, and I have successfully set my HOME_NET variable in the snort configuration (/var/local/etc/snort/igb0…./snort.conf). Normal rules dont get triggered if they are caused by IPs from my Homenet. But still, alerts caused by my subnet appear, if they are detected by proprecessors like "HTTP INSPECT" or "ssp_ssl". Is there an option which has to be activated to whitelist my subnet-IPs?
    Is there any way to change the configuration of preprocessors (edit manually the config files?) or do I have to disable them to avoid alerts?



  • I had the same problem, my fix was that in the name of the ip aliases I put the sign "_" between words and after removing that from the alias name and renaming the alias with only letters it worked.

    I also checked the snort config in /usr/local/etc/snort/snort_<if>/snort.conf to see if the ips are in the homenet. If they are not added there is a problem with the aliases.</if>



  • Hmm… all the aliases I include in snort whitelists have an underscore in the name - maybe that's why they are failing (ie. whitelisted ip's getting blocked).  I'll try to update here if I find that to be the case.



  • well thats another problem. the whitelisted ip's are not being blocked, only if you enter a CIDR like 192.168.20.0/24, i had to type all 256 ips into an pfsense alias to prevent my subnet from being blocked (because of blocking "both", dst and src(which can change in some rules))

    currently i tuned most of the preprocessors by removing the check marks in the configuration page and entered a different preprocessor configuration in "Advanced configuration pass through". Works very good, but I turned most of the preprocessor alerts to reduce false alerts.


Locked