Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Preprocessors block IPs from HOME_NET

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moe2006
      last edited by

      Hi there,

      I hope to get any replys to this post. I configured PfSense 2.0.1 Snort 2.9.2.3 pkg v. 2.5.1 very often now, and I have successfully set my HOME_NET variable in the snort configuration (/var/local/etc/snort/igb0…./snort.conf). Normal rules dont get triggered if they are caused by IPs from my Homenet. But still, alerts caused by my subnet appear, if they are detected by proprecessors like "HTTP INSPECT" or "ssp_ssl". Is there an option which has to be activated to whitelist my subnet-IPs?
      Is there any way to change the configuration of preprocessors (edit manually the config files?) or do I have to disable them to avoid alerts?

      1 Reply Last reply Reply Quote 0
      • S
        slim0801
        last edited by

        I had the same problem, my fix was that in the name of the ip aliases I put the sign "_" between words and after removing that from the alias name and renaming the alias with only letters it worked.

        I also checked the snort config in /usr/local/etc/snort/snort_<if>/snort.conf to see if the ips are in the homenet. If they are not added there is a problem with the aliases.</if>

        1 Reply Last reply Reply Quote 0
        • jnorellJ
          jnorell
          last edited by

          Hmm… all the aliases I include in snort whitelists have an underscore in the name - maybe that's why they are failing (ie. whitelisted ip's getting blocked).  I'll try to update here if I find that to be the case.

          1 Reply Last reply Reply Quote 0
          • M
            moe2006
            last edited by

            well thats another problem. the whitelisted ip's are not being blocked, only if you enter a CIDR like 192.168.20.0/24, i had to type all 256 ips into an pfsense alias to prevent my subnet from being blocked (because of blocking "both", dst and src(which can change in some rules))

            currently i tuned most of the preprocessors by removing the check marks in the configuration page and entered a different preprocessor configuration in "Advanced configuration pass through". Works very good, but I turned most of the preprocessor alerts to reduce false alerts.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.