Snort Ignoring White List

jsigned

I'm running Snort 2.9.5.6 pkg v3.0.4 on  pfsense 2.1-RELEASE (i386) FreeBSD 8.3-RELEASE-p11 and I am having very similar problems to this post:
https://forum.pfsense.org/index.php/topic,59976.0.html
Basically Snort it blocking IP addresses I have added to the white list alias.  The IP addresses are in the form xxx.xxx.xxx.xxx/32 and no matter how I try they are getting blocked.  My users are getting more than a little grumpy and I'm frustrated too.

So what is the trick to white listing specific IP's or is the function broken?

bmeeks

@jsigned:

I'm running Snort 2.9.5.6 pkg v3.0.4 on  pfsense 2.1-RELEASE (i386) FreeBSD 8.3-RELEASE-p11 and I am having very similar problems to this post:
https://forum.pfsense.org/index.php/topic,59976.0.html
Basically Snort it blocking IP addresses I have added to the white list alias.  The IP addresses are in the form xxx.xxx.xxx.xxx/32 and no matter how I try they are getting blocked.  My users are getting more than a little grumpy and I'm frustrated too.

So what is the trick to white listing specific IP's or is the function broken?

So far as I know, the function is not broken.  It is working for me in terms of the local networks, WAN IP and gateway (they don't get blocked because they are whitelisted).  Have you restarted Snort since editing the whitelist?  Snort only reads the whitelist and loads into an in-memory lookup table upon a restart.  It is not dynamic.

Also, have you actually assigned the whitelist you created to the Snort interface?  By default Snort uses an automatic whitelist containing only the WAN, Gateway and locally-attached networks.  If you create a whitelist with additional entries, you must tell Snort to use that customized list.  To do so, go to the Interface Settings tab for the interface and down near the bottom select the name of your custom whitelist in the appropriate drop-down.  Click Save to save the change.

Bill

jsigned

I've got a WAN, LAN, and DMZ.  I started out with snort running on the WAN interface and was fighting too many false positives.  Since what really needs snort is on the DMZ I've pulled off the WAN and put it on the DMZ.  I'd forgotten to put the white list on the DMZ interface.  I hope it was that simple to fix.  Tomorrow when the users start hitting will be the test, my fingers are crossed.

bmeeks

@jsigned:

I've got a WAN, LAN, and DMZ.  I started out with snort running on the WAN interface and was fighting too many false positives.  Since what really needs snort is on the DMZ I've pulled off the WAN and put it on the DMZ.  I'd forgotten to put the white list on the DMZ interface.  I hope it was that simple to fix.  Tomorrow when the users start hitting will be the test, my fingers are crossed.

It should work fine.  You just have to remember to select and assign any custom whitelist on the appropriate Interface Settings tab.  I'm working on the next Snort package update now, and I will add some type of reminder to the Whitelist Edit screen when creating a new list to prompt users about assigning the new list at the time of saving.  The GUI is admittedly a little silent in that area.

Bill