Snort ignoring passlist after update



  • I recently updated to Snort 2.9.6.2 pkg v3.1.1

    Prior to the update my passlist was working correctly, now Snort is blocking the addresses in the passlist

    The IP's in my alias/passlist are all CIDR and not domains

    To fix this I tried:
    1. Removing/recreating the passlist
    2. Removing/recreating the referenced alias
    3. Reloading filters
    4. Restarting service
    5. Restarting server
    6. Reinstalled Snort

    But alas IP's in my passlist keep getting added to the Blocked table

    I even compared an XML backup of Pfsense prior to the update with an XML backup after, my Snort settings are the same as they were when it was working

    Can someone help me in the right direction to diagnose this?

    Thanks


  • Moderator

    Out of curiosity, if you add some /32 IP addresses instead of CIDR to the "Alias", does Snort allow those IPs to "pass"?



  • Thanks for your reply BBcan177

    I just realized that the 'pass list' dropdown under Interface/WAN settings had been reset to default!

    DOH


  • Moderator

    Happens to everyone at some time or another …  :)


Log in to reply