Snort whitelist

  • I've got Snort running on several firewalls, and I'm having what seems to be more problems than the average user getting it to function properly. I'm relatively new to pfSense, but I've been doing what I do for a while, and (at least I think I) have a pretty good understanding of how I believe this is supposed to be working.

    Specifically, I've got one site that's using a SIP trunk for their outside calls. Users will report to me that they were on a call, and the call suddenly dropped. When I log into pfSense, I see this in the log entry:

    ./snort/snort_em031632/alert:11/12-13:20:37.677561 ,122,21,1,"PSNG_UDP_FILTERED_PORTSCAN",,,,,,14583,Attempted Information Leak,2,

    Where is my SIP provider and is the firewall address. There doesn't seem to be a block for this IP address, only an alert, coupled with the customer reporting a dropped call.

    I've got the SIP provider on the snort whitelist, but how can I determine if it's actually whitelisted? (The pfSense equivalent of iptables -L, maybe?) Is that just a blocking whitelist, or should it be whitelisted for alerts, too? I've created a firewall alias called "Whitelist" which contains a combination of network addresses and FQDNs. It also contains an alias called "VoIP" which contains the FQDN of the SIP trunk provider. Can snort read an alias within an alias? (It would be really nice if that were the case.) Can I check the congfigs somewhere to see if it's resolving correctly?

    Also, I poked around in the snort.conf file, and I see var WHITE_LIST_PATH ../rules and whitelist $WHITE_LIST_PATH/white_list.rules, but the file white_list.rules doesn't appear anywhere on my firewall. I've also seen many others saying that the whitelist isn't working, and no definitive answers saying that it is.

    I'm running 2.0.1-RELEASE (amd64) on a reasonably nice machine with 4GB RAM. Any insight is greatly appreciated. Thanks in advance!