Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Pass White List not working correctly?

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sensemann
      last edited by

      Hello,

      I am wondering if the pass list is not working?

      In WAN-Settings, below "Choose the networks Snort should inspect and whitelist" I activated a pass list:

      Pass List:  finotel_VoIP_hosts  , contains 62.134.52.230

      block offenders is ON.

      I still get Alert Entries belongs to the host, like this:

      ET INFO Session Traversal Utilities for NAT (STUN Binding Response) , 1:2018908
      SRC is 62.134.52.230 , DST the WAN IP.

      Thanks for Help!

      Regards

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by

        If I'm not horribly mistaken, the pass list doesn't prevent alerts from popping up, but it does prevent the IP's in the pass list from actually getting blocked.

        Notes:

        1. Here you can create Pass List files for your Snort package rules. Hosts on a Pass List are never blocked by Snort.
        2. Add all the IP addresses or networks (in CIDR notation) you want to protect against Snort block decisions.
        3. The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks.
        4. Be careful, it is very easy to get locked out of your system by altering the default settings.
        Remember you must restart Snort on the interface for changes to take effect!

        You can check the actual content of the list by clicking the View List button in Snort -> Snort Interfaces -> <iface>settings -> Pass List.</iface>

        1 Reply Last reply Reply Quote 0
        • S
          sensemann
          last edited by

          Hi,

          thanks for this hint - It seems you re right  ( https://doc.pfsense.org/index.php/Snort_passlist ) and I have add the entry to the suppresss list

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @fragged:

            If I'm not horribly mistaken, the pass list doesn't prevent alerts from popping up, but it does prevent the IP's in the pass list from actually getting blocked.

            You can check the actual content of the list by clicking the View List button in Snort -> Snort Interfaces -> <iface>settings -> Pass List.</iface>

            fragged is correct as usual …  ;)

            Putting an IP on a PASS LIST prevents that IP address from being blocked, but it does not stop the alert from firing and getting logged.  To do that you must add the rule to a SUPPRESS LIST.

            Bill

            1 Reply Last reply Reply Quote 0
            • S
              silliwk53
              last edited by

              I was having similar issues with the Pass list not working.  I had not noticed an issue prior to the most recent upgrade to pfSense 2.2 and Snort 2.9.7 v3.2.3.  The issue seems to be associated with having a combination of IP addresses as well as FQDN's.  If I remove the FQDN's then I do not have an issue.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                Snort does not support FQDN aliases.  They will cause problems.

                Bill

                1 Reply Last reply Reply Quote 0
                • H
                  heliop100
                  last edited by

                  Hi

                  I setup one passlist (only networks), set on interface, restart the interface.
                  If I click on "view list" the IPs are there, but still blocking.
                  I'm on 2.2.4 and Snort at 3.2.6
                  Any Idea?
                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.