Snort whitelist by command line



  • Hi,

    I have about 2000 external customers IP addresses that should never be blocked.

    Are there any way to enter this at once? It will take to long time do maintain this by the GUI.

    Best Regards
    Jan



  • I'm not 100% sure if this works, but you could put the IP's into a file and load it as URL alias to pfSense aliases and then load that to your Snort whitelist.



  • Txs fragged,

    Good hit.

    I tried to define a url alias definition in the firewall and this works. The url alias is not shown in the snort white list menu but I can add it by typing the url alias name. I can also select it under the interface and see the full list of ip addresses when selecting view list. So this looks good.

    Now I am going to test the white list.

    Best Regards
    Jan



  • Hi fragged,

    It works. Nice solution. My web server know the ip addresses of my customers and prepares the list in an URL. pfSense download the list into the aliases. Snort use the aliases as a white list.

    Thank you again for the hint.

    Best Regards
    Jan



  • @jandohrmann:

    Hi fragged,

    It works. Nice solution. My web server know the ip addresses of my customers and prepares the list in an URL. pfSense download the list into the aliases. Snort use the aliases as a white list.

    Thank you again for the hint.

    Best Regards
    Jan

    Just remember one caveat.  Snort only reads its whitelist once during startup, so any updates to the list that happen during a "run" prior to a Snort restart will not be recognized.  Snort writes its own whitelist file at the moment.  So what is happening is during startup, when building the snort.conf configuration, it reads the Alias Table you created and writes the contents to its own whitelist file in the Snort directory.  That file is then read to produce the list of "do block" IP addresses.  So the whitelist is only updated during a Snort startup.  But if you have the rules updating automatically, then each time a new rule set is downloaded, Snort will restart.

    One other limitation is that for now there is a 1024 IP address limit hard-coded in the Spoink plugin Snort uses on pfSense for blocking.  So it won't recognize more than the first 1024 IP addresses in the whitelist.  The code currently creates an in-memory list structure with only 1024 buckets for holding an address.

    It's possible the Spoink plugin could be improved a bit to utilize the Alias table directly, but I'm not sure how that would impact performance.

    Bill



  • @fragged:

    I'm not 100% sure if this works, but you could put the IP's into a file and load it as URL alias to pfSense aliases and then load that to your Snort whitelist.

    A very good idea :).  I had never thought about that angle.

    Bill



  • Hi Bill,

    Thank you for letting me know the limitation about the 1000 entries because I have 2000 customers.

    Is the Spoink plugin source available? I would like to extend it.

    Best Regards
    Jan



  • @jandohrmann:

    Hi Bill,

    Thank you for letting me know the limitation about the 1000 entries because I have 2000 customers.

    Is the Spoink plugin source available? I would like to extend it.

    Best Regards
    Jan

    Yes, it is part of the pfPorts collection in pfSense.  You can fork the pfsense-tools repository on GitHub and then make your changes for submittal back to the pfSense Core Team as a Pull Request.  The change is really quite easy as the max value is defined with a constant.  I can make the change and submit it myself for the Core Team to review.  However, there is already a Snort 2.9.5.6 update out there being reviewed, so the earliest this could get in is with the Snort 2.9.6.0 update coming out later (maybe toward the end of March).

    I think one of the reasons for keeping the original list smaller was to make sure the Spoink plugin could quickly search it using its very simple search algorithm.  You don't want it taking too long to search for and find the IP address.  However, with today's fast hardware I don't think 2048 entries would be too much.

    Bill



  • Txs Bill,

    I will wait for the next release. Already implemented a work around - customers who get into the block list will be "auto" added to the white list by looking into full white list. Not all 2000 customers will generate weird traffic (I hope). It is not real time but good for now.

    I am looking forward to performance test it if you get the time to extend the table later.

    Best Regards
    Jan



  • @jandohrmann:

    Txs Bill,

    I will wait for the next release. Already implemented a work around - customers who get into the block list will be "auto" added to the white list by looking into full white list. Not all 2000 customers will generate weird traffic (I hope). It is not real time but good for now.

    I am looking forward to performance test it if you get the time to extend the table later.

    Best Regards
    Jan

    I found something that could work for you if you need more than 1000 whitelisted IPs.  You can enable Snort's reputation preprocessor by typing the information in the Advanced Pass-Through parameter on the Interface page.  Here is a link to the Snort manual describing the feature:

    http://manual.snort.org/node176.html

    You can enter the complete preprocessor line as shown in the linked manual page, then it will be automatically added to your Snort configuration each time Snort starts.

    Bill



  • Hi Bill,

    Brilliant solution - thank you!

    Best Regard
    Jan



  • @jandohrmann:

    Hi Bill,

    Brilliant solution - thank you!

    Best Regard
    Jan

    By the way, I plan to add this new IP Reputation Preprocessor option to the next Snort update (should be in the 2.9.6.0 package when it comes out in about a month).

    Bill