Snort whitelists



  • I'm new to pfSense, and I'm having a very difficult time getting a Snort whitelist to work. We have several subnets connected to our main networks - 10.1.0.0/21, 192.168.2.0/24, 192.168.6.0/24 192.168.14.0/24 and 192.168.15.0/24 - and even though they're in a whitelist, Snort still blocks them. We're running pfSense 2.1 and Snort 2.9.5.6. If it's relevant, each of those networks is defined in an alias, which is, in turn, contained within another alias I'm using for the whitelist.

    How would I go about debugging this problem?



  • @Dadoo:

    I'm new to pfSense, and I'm having a very difficult time getting a Snort whitelist to work. We have several subnets connected to our main networks - 10.1.0.0/21, 192.168.2.0/24, 192.168.6.0/24 192.168.14.0/24 and 192.168.15.0/24 - and even though they're in a whitelist, Snort still blocks them. We're running pfSense 2.1 and Snort 2.9.5.6. If it's relevant, each of those networks is defined in an alias, which is, in turn, contained within another alias I'm using for the whitelist.

    How would I go about debugging this problem?

    First, have you made sure the new whitelist you created is actually assigned to the interface where Snort is running?  You do this on the Interface Settings tab for the Snort interface.  Down toward the bottom is a drop-down selection field for choosing the whitelist file to use.  When you select the whitelist in the drop-down, you can then view its contents with the VIEW button out by the side of the drop-down selector.  Verify that the networks you want whitelisted are actually showing up in the list.

    Next, after you make the correct choice and save it, you must restart Snort on the interface for it to use the newly assigned whitelist.  Snort cannot "live load" output plugin changes such as using a new whitelist.

    Simply creating a whitelist on the Whitelists tab does assign it to a running Snort interface.  You can only create lists on the Whitelists tab.  You must assign them on the actual interface's Settings tab.

    Bill



  • Ahhh… I see. Whitelists are per-interface, not per-firewall. That explains why some of the addresses on the whitelist were blocked, while others were not.  The GUI doesn't make that obvious. Now that I've set a whitelist for both interfaces, that seems to have solved the problem.

    Thanks for your help.



  • @Dadoo:

    Ahhh… I see. Whitelists are per-interface, not per-firewall. That explains why some of the addresses on the whitelist were blocked, while others were not.  The GUI doesn't make that obvious. Now that I've set a whitelist for both interfaces, that seems to have solved the problem.

    Thanks for your help.

    You're welcome.  I am starting a project to revise/update the Snort package documentation on the pfSense Documentation Wiki.  It will take me some time to get everything updated.  The stuff there now is way old and goes back many Snort versions well before I began offering some updates to the code.  Once the documentation update is complete, I will then make sure the various HELP links within the Snort GUI to point to the relevant Wiki page.

    Bill


Log in to reply