Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort keeps blocking an IP address that's in the pass list

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 9 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      In the Snort preprocessor settings you can also define scanners to ignore. So you could use the same alias, or create a new alias.

      Also as per Bill:

      Suricata and Snort work the same in the area of Pass Lists.  Once you have a custom list created and saved, you then must go to the INTERFACE SETTINGS tab and select that list in the drop-down selection for PASS LIST.  Then you save the change and restart that interface.

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • R
        Rewt0r
        last edited by

        I don't want to ignore them, I just want it to stop blocking IPs in the pass list.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          It's strange that it's not using the Pass list… maybe post some screen shots? Did you try stop/start of the interface?

          If you add one of the IPs that is getting triggered by the scanner preprocessor, does it still trigger an alert?

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • R
            Rewt0r
            last edited by

            Let me just get this straight, if I update an IP in an alias that is included on the Pass List am I required to restart the Snort interface EVEN though the updated IP is listed correctly in the Pass List by Snort?

            If that is the case then couldn't this be made more user friendly so that this isn't required? I shouldn't need to update the IP in my alias and THEN restart the Snort interface. Just seems like there's an extra step for no reason.

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              I take it, that restarting the interfaces fixed the issue?  :)

              Snort has no way of knowing that the pfSense Alias that you created for the "pass list" has been updated.. The snort.conf file is re-generated at Updates and Start/restart of the interfaces… I am not the maintainer of the Snort code, but It probably doesn't make sense to have a function to poll the "Alias Pass Lists" every 5 mins for changes and then update the conf file and restart the interfaces.

              There could be something said about Dynamic Addresses, but that is a different concern...

              Maybe Bill Meeks will chime in when he reads this thread...

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                The limitation is within the Snort binary.  The plugin that handles blocking with a pf firewall is not dynamic.  This means it reads the pass list into memory from a text file at startup. If the list is updated, the Snort process must be restarted so the list is read again and the in-memory information changed.

                I did not write the plugin.  It has been in existence for many years and perhaps even predates pfSense.  It is based off an old piece of open-source code called Spoink.

                I have never looked into making it dynamic with respect to the Pass List.  It might be possible.  I will look into the possibility.

                Bill

                1 Reply Last reply Reply Quote 0
                • D
                  dcol Banned
                  last edited by

                  I know that this is an old topic, but I just ran into the same issue and glad I found this post because no way I would have known to restart snort when I change an alias. Had me going for an hour. This should be dynamic.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hamed_forum
                    last edited by

                    i have problm block ip list in passlist (alias include 3 ip) what do you do?

                    1 Reply Last reply Reply Quote 0
                    • M
                      MontTech
                      last edited by

                      I'm having same/similar issue…..Passlist seems to be properly configured, but Suricata still adds pass'd IP's to the block list.  Running latest versions of everything.    :o

                      1 Reply Last reply Reply Quote 0
                      • K
                        Kryptos1
                        last edited by

                        I can confirm that this is still an issue. Snort does not respect custom ip's added to passlists - even after rebooting the whole rig. Yes, the passlist has been added to the interface in case anyone asks…

                        1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks
                          last edited by

                          @Kryptos1:

                          I can confirm that this is still an issue. Snort does not respect custom ip's added to passlists - even after rebooting the whole rig. Yes, the passlist has been added to the interface in case anyone asks…

                          Pass Lists do work.  If they did not, there would be hundreds of posts here about it.  How are you adding the custom IPs to the pass list?  Have you looked carefully through the pfSense system log to see if any error messages were logged.  Perhaps the Snort code encountered a syntax error reading the pass list.  If so, there should be an error line in the system log.

                          Pass List IP addresses are basically static.  If pulled from an Alias, the Alias is read and decoded when Snort starts.  The IP pulled then is what is written to the Pass List file.  The contents of that file are read line-by-line into memory.  The in-memory list is then static until the next Snort restart.  There is no way for Snort to tell the Alias code that it wants to be notified of IP address changes.  The only thing Snort could possibly do is poll that entire Alias table on some interval.  That is not efficient.  It really becomes inefficient if someone has thousands of IP addresses in Alias tables.  This limitation is also why FQDN Aliases are not supported in Snort or Suricata.

                          Bill

                          1 Reply Last reply Reply Quote 0
                          • D
                            digdug3
                            last edited by

                            I used to have an "SuricataWhitelist" alias containing hosts (also alliasses). Now it's type is "networks" (old hosts aliasses are still there).
                            So this has changed. Maybe this is causing the blocks since the last version?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.