Snort keeps blocking an IP address that's in the pass list
-
We have 2 aliases setup, one for my IP addresses and one for the Office's IP addresses. These are then used in an alias called "Snort Pass", this Snort Pass alias is then used in the Pass List however, Snort seems to still block IPs that have been changed in the Office group.
-
Have you selected the proper pass list on Snort Interface -> Your Interface -> Pass list (drop box)? You can use the view button to check all IP's that are in the list.
-
The IPs are correctly listed in there, but it still blocks for a port scan/sweep.
-
In the Snort preprocessor settings you can also define scanners to ignore. So you could use the same alias, or create a new alias.
Also as per Bill:
Suricata and Snort work the same in the area of Pass Lists. Once you have a custom list created and saved, you then must go to the INTERFACE SETTINGS tab and select that list in the drop-down selection for PASS LIST. Then you save the change and restart that interface.
-
I don't want to ignore them, I just want it to stop blocking IPs in the pass list.
-
It's strange that it's not using the Pass list… maybe post some screen shots? Did you try stop/start of the interface?
If you add one of the IPs that is getting triggered by the scanner preprocessor, does it still trigger an alert?
-
Let me just get this straight, if I update an IP in an alias that is included on the Pass List am I required to restart the Snort interface EVEN though the updated IP is listed correctly in the Pass List by Snort?
If that is the case then couldn't this be made more user friendly so that this isn't required? I shouldn't need to update the IP in my alias and THEN restart the Snort interface. Just seems like there's an extra step for no reason.
-
I take it, that restarting the interfaces fixed the issue? :)
Snort has no way of knowing that the pfSense Alias that you created for the "pass list" has been updated.. The snort.conf file is re-generated at Updates and Start/restart of the interfaces… I am not the maintainer of the Snort code, but It probably doesn't make sense to have a function to poll the "Alias Pass Lists" every 5 mins for changes and then update the conf file and restart the interfaces.
There could be something said about Dynamic Addresses, but that is a different concern...
Maybe Bill Meeks will chime in when he reads this thread...
-
The limitation is within the Snort binary. The plugin that handles blocking with a pf firewall is not dynamic. This means it reads the pass list into memory from a text file at startup. If the list is updated, the Snort process must be restarted so the list is read again and the in-memory information changed.
I did not write the plugin. It has been in existence for many years and perhaps even predates pfSense. It is based off an old piece of open-source code called Spoink.
I have never looked into making it dynamic with respect to the Pass List. It might be possible. I will look into the possibility.
Bill
-
I know that this is an old topic, but I just ran into the same issue and glad I found this post because no way I would have known to restart snort when I change an alias. Had me going for an hour. This should be dynamic.
-
i have problm block ip list in passlist (alias include 3 ip) what do you do?
-
I'm having same/similar issue…..Passlist seems to be properly configured, but Suricata still adds pass'd IP's to the block list. Running latest versions of everything. :o
-
I can confirm that this is still an issue. Snort does not respect custom ip's added to passlists - even after rebooting the whole rig. Yes, the passlist has been added to the interface in case anyone asks…
-
I can confirm that this is still an issue. Snort does not respect custom ip's added to passlists - even after rebooting the whole rig. Yes, the passlist has been added to the interface in case anyone asks…
Pass Lists do work. If they did not, there would be hundreds of posts here about it. How are you adding the custom IPs to the pass list? Have you looked carefully through the pfSense system log to see if any error messages were logged. Perhaps the Snort code encountered a syntax error reading the pass list. If so, there should be an error line in the system log.
Pass List IP addresses are basically static. If pulled from an Alias, the Alias is read and decoded when Snort starts. The IP pulled then is what is written to the Pass List file. The contents of that file are read line-by-line into memory. The in-memory list is then static until the next Snort restart. There is no way for Snort to tell the Alias code that it wants to be notified of IP address changes. The only thing Snort could possibly do is poll that entire Alias table on some interval. That is not efficient. It really becomes inefficient if someone has thousands of IP addresses in Alias tables. This limitation is also why FQDN Aliases are not supported in Snort or Suricata.
Bill
-
I used to have an "SuricataWhitelist" alias containing hosts (also alliasses). Now it's type is "networks" (old hosts aliasses are still there).
So this has changed. Maybe this is causing the blocks since the last version?
