Snort Pass White List not working correctly?

sensemann

Hello,

I am wondering if the pass list is not working?

In WAN-Settings, below "Choose the networks Snort should inspect and whitelist" I activated a pass list:

Pass List:  finotel_VoIP_hosts  , contains 62.134.52.230

block offenders is ON.

I still get Alert Entries belongs to the host, like this:

ET INFO Session Traversal Utilities for NAT (STUN Binding Response) , 1:2018908
SRC is 62.134.52.230 , DST the WAN IP.

Thanks for Help!

Regards

fragged

If I'm not horribly mistaken, the pass list doesn't prevent alerts from popping up, but it does prevent the IP's in the pass list from actually getting blocked.

Notes:

1. Here you can create Pass List files for your Snort package rules. Hosts on a Pass List are never blocked by Snort.
2. Add all the IP addresses or networks (in CIDR notation) you want to protect against Snort block decisions.
3. The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks.
4. Be careful, it is very easy to get locked out of your system by altering the default settings.
Remember you must restart Snort on the interface for changes to take effect!

You can check the actual content of the list by clicking the View List button in Snort -> Snort Interfaces -> <iface>settings -> Pass List.</iface>

sensemann

Hi,

thanks for this hint - It seems you re right  ( https://doc.pfsense.org/index.php/Snort_passlist ) and I have add the entry to the suppresss list

bmeeks

@fragged:

If I'm not horribly mistaken, the pass list doesn't prevent alerts from popping up, but it does prevent the IP's in the pass list from actually getting blocked.

You can check the actual content of the list by clicking the View List button in Snort -> Snort Interfaces -> <iface>settings -> Pass List.</iface>

fragged is correct as usual …  ;)

Putting an IP on a PASS LIST prevents that IP address from being blocked, but it does not stop the alert from firing and getting logged.  To do that you must add the rule to a SUPPRESS LIST.

Bill

silliwk53

I was having similar issues with the Pass list not working.  I had not noticed an issue prior to the most recent upgrade to pfSense 2.2 and Snort 2.9.7 v3.2.3.  The issue seems to be associated with having a combination of IP addresses as well as FQDN's.  If I remove the FQDN's then I do not have an issue.

bmeeks

Snort does not support FQDN aliases.  They will cause problems.

Bill

heliop100

Hi

I setup one passlist (only networks), set on interface, restart the interface.
If I click on "view list" the IPs are there, but still blocking.
I'm on 2.2.4 and Snort at 3.2.6
Any Idea?
Thanks.