Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort whitelist

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmhecho
      last edited by

      I've got Snort running on several firewalls, and I'm having what seems to be more problems than the average user getting it to function properly. I'm relatively new to pfSense, but I've been doing what I do for a while, and (at least I think I) have a pretty good understanding of how I believe this is supposed to be working.

      Specifically, I've got one site that's using a SIP trunk for their outside calls. Users will report to me that they were on a call, and the call suddenly dropped. When I log into pfSense, I see this in the log entry:

      ./snort/snort_em031632/alert:11/12-13:20:37.677561 ,122,21,1,"PSNG_UDP_FILTERED_PORTSCAN",,55.55.55.55,,23.45.67.89,,14583,Attempted Information Leak,2,

      Where 55.55.55.55 is my SIP provider and 23.45.67.89 is the firewall address. There doesn't seem to be a block for this IP address, only an alert, coupled with the customer reporting a dropped call.

      I've got the SIP provider on the snort whitelist, but how can I determine if it's actually whitelisted? (The pfSense equivalent of iptables -L, maybe?) Is that just a blocking whitelist, or should it be whitelisted for alerts, too? I've created a firewall alias called "Whitelist" which contains a combination of network addresses and FQDNs. It also contains an alias called "VoIP" which contains the FQDN of the SIP trunk provider. Can snort read an alias within an alias? (It would be really nice if that were the case.) Can I check the congfigs somewhere to see if it's resolving correctly?

      Also, I poked around in the snort.conf file, and I see var WHITE_LIST_PATH ../rules and whitelist $WHITE_LIST_PATH/white_list.rules, but the file white_list.rules doesn't appear anywhere on my firewall. I've also seen many others saying that the whitelist isn't working, and no definitive answers saying that it is.

      I'm running 2.0.1-RELEASE (amd64) on a reasonably nice machine with 4GB RAM. Any insight is greatly appreciated. Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.