Snort blocking my local IP



  • I've created an alias, added this to the whitelist, restart the interface - still continues to block the IP.

    I have another way in obviously through the backend, however this is blocking all front end services to the IP

    What is it I do not understand about whitelisting and IP through snort ?

    Any help is appreciated.


  • Moderator

    Check the Snort2c table in Diagnostic:Tables to see if the IP is listed.



  • I have no 'Tables' in Diagnostic

    There is ARPtable & NDPtable

    I should be more familiar , but this is the first time using snort on this level in pfsense.

    Thanks


  • Moderator

    In Diagnostic:Tables you should get a drop down menu where you can select the table "snort2C"

    https://x.x.x.x:xxxx/diag_tables.php  (Enter you ip and port in the x's)

    What version of pfSense are you running?



  • Yes the IP that being blocked is in that file, with a couple dozen others.

    Thanks for getting me in there !



  • @mudmanc4:

    Yes the IP that being blocked is in that file, with a couple dozen others.

    Thanks for getting me in there !

    Two things to remember.

    First, when modifying the Whitelist, you must make sure the Snort interface is using the one you modified.  You can create multiple whitelists and give them different names.  Folks do this that run Snort on multiple interfaces.  To make sure Snort is using the correct whitelist, go to the Snort menu, click the Interfaces tab, and then click on the e icon beside the Snort instance you want to edit.  This will open the edit window for that interface. Scroll down near the bottom of the page and find the section for the whitelist.  Make sure the value in the drop-down selection matches the name of the whitelist you created (or edited).  Click the SAVE button to save the change.

    Another thing to remember is that when changing the whitelist, you must restart Snort for it to pick up the change.

    Last item I will throw in is that you cannot use FQDN Aliases.  The alias selection process should not have allowed that anyway, but just offering a reminder.

    Bill



  • I have changed the whitelist for that interface to the one created earlier,  restart snort, and made various protocol requests - no blocking that I can see at this point.

    Big info from you on this, much appreciated bmeeks !



  • @mudmanc4:

    I have changed the whitelist for that interface to the one created earlier,  restart snort, and made various protocol requests - no blocking that I can see at this point.

    Big info from you on this, much appreciated bmeeks !

    Thank you.  Glad it's working for you now.  One item on my TODO list is to update the Snort package documentation and then include links to it from various spots in the package.

    Bill


Log in to reply