Snort Blocking Whitelisted IP



  • I've tried every which way to whitelist a group of IPs.  I've tried an alias through a pass list, as well as creating an IP List and adding it to the IP rep config.  I have since deleted the IP rep entirely and yet I'm still getting these blocks:

    ET POLICY Vulnerable Java Version 1.7.x Detected - 03/05/15-20:33:33 (spp_reputation) packets whitelisted - 03/05/15-20:18:33

    I interpret this as the packet being flagged as whitelisted yet it's still generating a block.

    What am I doing wrong?



  • @thx2000:

    I've tried every which way to whitelist a group of IPs.  I've tried an alias through a pass list, as well as creating an IP List and adding it to the IP rep config.  I have since deleted the IP rep entirely and yet I'm still getting these blocks:

    ET POLICY Vulnerable Java Version 1.7.x Detected - 03/05/15-20:33:33 (spp_reputation) packets whitelisted - 03/05/15-20:18:33

    I interpret this as the packet being flagged as whitelisted yet it's still generating a block.

    What am I doing wrong?

    Make sure when you change anything in Snort related to Pass Lists or aliases that you restart the Snort process on that interface by clicking the icons on the Snort Interfaces tab.  Snort is, for the most part, not a "dynamic daemon".  It reads startup configuration parameters only once during start and does not look at them again until the next restart.  The lone exception to this is updating the in-memory rule signatures which can be done by sending the process a SIGUSR2 signal.

    Did you restart Snort on the interface when you made these changes?

    Also, when creating a Pass List, there are three discreet steps to perform.  First, create the Pass List itself on the PASS LISTS tab.  Second, go to the INTERFACE SETTINGS tab in Snort where you want to use the Pass List and "assign" that list to the interface by selecting it in the drop-down box for Pass List down near the bottom of that page.  Finally, restart Snort on the interface so it will read the new Pass List.

    Bill



  • Thank you!  The last paragraph was my problem.  For some reason, I assumed when adding the pass list that was modifying the default pass list.  For future reference, what is the recommended procedure for adding hosts to the whitelist?  I'm assuming I just need to update the alias, and restart the daemon on the interface?  Are there any other tricks I should be aware of?

    Thanks again.



  • @thx2000:

    Thank you!  The last paragraph was my problem.  For some reason, I assumed when adding the pass list that was modifying the default pass list.  For future reference, what is the recommended procedure for adding hosts to the whitelist?  I'm assuming I just need to update the alias, and restart the daemon on the interface?  Are there any other tricks I should be aware of?

    Thanks again.

    Yep, update the assigned alias and restart the interface.

    I think I will put some notifications and/or extra text on the PASS LIST tab in a future release to make this more clear.  It has tripped up several folks.

    Bill


Log in to reply