Snort don't refer to pass list…



  • https://www.youtube.com/watch?v=o3u7BJRW1ek
    i refered to this url and somehow snort setup done. but few minutes later, E-mail (Use Thunderbird) can't connect mail server , then i see block tab , found the cause.(pop3 servers address is there)  and i back pfsense top screen , go firewall -> Aliases , regist ip address (named pop3_allow) , then go snort service screen , PassLists tab , add Aliases include ip addresseds  made in Aliases tab.

    but , not yet E-Mail can't connect pop3 servers…pass list is registerd then -> snort don't block/investigate about this ip addresses , through thease . do will i add more settings to snort menu ? Please instract me how to set it up :'(.

    thanks for reading !


  • Moderator

    Did you clear the IP in the "Blocked" Tab.



  • Thanks for reply . i try to clear IP  in the Blocked tab , all IP list was cleared, and temporarily E-Mail good run. but still few minutes after , again pop3 servers address pop up Blocked tab…

    My settings is below , if it for use of find problem.


  • Moderator

    Try to stop/start the Snort Interface where the alert is occurring.



  • thanks for reply . i think it seems to be blocked pop3 access unless snort remaining blocklist . remaining pop3 IP in the blocklist , Disable(in WAN Settings) or Stop(Status: Services)  to snort , E-mail don't run.

    and i retry clear blocklist . even though off/stop snort runs somewhere (pop3 blocks) , but blocklist was cleared , E-Mail accesss good run.

    my situation is such a feeling first of all. waiting for reply. :)



  • @HDM21KW:

    https://www.youtube.com/watch?v=o3u7BJRW1ek
    i refered to this url and somehow snort setup done. but few minutes later, E-mail (Use Thunderbird) can't connect mail server , then i see block tab , found the cause.(pop3 servers address is there)  and i back pfsense top screen , go firewall -> Aliases , regist ip address (named pop3_allow) , then go snort service screen , PassLists tab , add Aliases include ip addresseds  made in Aliases tab.

    but , not yet E-Mail can't connect pop3 servers…pass list is registerd then -> snort don't block/investigate about this ip addresses , through thease . do will i add more settings to snort menu ? Please instract me how to set it up :'(.

    thanks for reading !

    As the final step, after you created and save the passlist_10385 entry, did you then go to your WAN SETTINGS in Snort and assign that pass list name to the running interface and then restart the interface?

    Post a screenshot of the WAN SETTINGS tab from your Snort instance showing the assigned PASS LIST.

    Bill



  • Thanks for reply. following your instruct , and after restart PFSense , Snort recognize my whitelist ! E-Mail runs good , but port80/443 needed access in blocked hosts list , individually add IP/Networks needed( Akamai , etc…). a few time it needs , but once setup this , after it's be all right.

    Snort WanSettings -> Pass List fields is below.

    Thanks for reply , my snort problem is solved :D



  • @HDM21KW:

    Thanks for reply. following your instruct , and after restart PFSense , Snort recognize my whitelist ! E-Mail runs good , but port80/443 needed access in blocked hosts list , individually add IP/Networks needed( Akamai , etc…). a few time it needs , but once setup this , after it's be all right.

    Snort WanSettings -> Pass List fields is below.

    Thanks for reply , my snort problem is solved :D

    Glad you got it working.  That final step of actually assigning the Pass List to the desired interface is frequently missed.

    Bill


Log in to reply