Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Blocking Whitelisted IP

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    4
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thx2000
      last edited by

      I've tried every which way to whitelist a group of IPs.  I've tried an alias through a pass list, as well as creating an IP List and adding it to the IP rep config.  I have since deleted the IP rep entirely and yet I'm still getting these blocks:

      ET POLICY Vulnerable Java Version 1.7.x Detected - 03/05/15-20:33:33 (spp_reputation) packets whitelisted - 03/05/15-20:18:33

      I interpret this as the packet being flagged as whitelisted yet it's still generating a block.

      What am I doing wrong?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @thx2000:

        I've tried every which way to whitelist a group of IPs.  I've tried an alias through a pass list, as well as creating an IP List and adding it to the IP rep config.  I have since deleted the IP rep entirely and yet I'm still getting these blocks:

        ET POLICY Vulnerable Java Version 1.7.x Detected - 03/05/15-20:33:33 (spp_reputation) packets whitelisted - 03/05/15-20:18:33

        I interpret this as the packet being flagged as whitelisted yet it's still generating a block.

        What am I doing wrong?

        Make sure when you change anything in Snort related to Pass Lists or aliases that you restart the Snort process on that interface by clicking the icons on the Snort Interfaces tab.  Snort is, for the most part, not a "dynamic daemon".  It reads startup configuration parameters only once during start and does not look at them again until the next restart.  The lone exception to this is updating the in-memory rule signatures which can be done by sending the process a SIGUSR2 signal.

        Did you restart Snort on the interface when you made these changes?

        Also, when creating a Pass List, there are three discreet steps to perform.  First, create the Pass List itself on the PASS LISTS tab.  Second, go to the INTERFACE SETTINGS tab in Snort where you want to use the Pass List and "assign" that list to the interface by selecting it in the drop-down box for Pass List down near the bottom of that page.  Finally, restart Snort on the interface so it will read the new Pass List.

        Bill

        1 Reply Last reply Reply Quote 0
        • T
          thx2000
          last edited by

          Thank you!  The last paragraph was my problem.  For some reason, I assumed when adding the pass list that was modifying the default pass list.  For future reference, what is the recommended procedure for adding hosts to the whitelist?  I'm assuming I just need to update the alias, and restart the daemon on the interface?  Are there any other tricks I should be aware of?

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @thx2000:

            Thank you!  The last paragraph was my problem.  For some reason, I assumed when adding the pass list that was modifying the default pass list.  For future reference, what is the recommended procedure for adding hosts to the whitelist?  I'm assuming I just need to update the alias, and restart the daemon on the interface?  Are there any other tricks I should be aware of?

            Thanks again.

            Yep, update the assigned alias and restart the interface.

            I think I will put some notifications and/or extra text on the PASS LIST tab in a future release to make this more clear.  It has tripped up several folks.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post