Legitimate dest IPs blocked on snort2c:0… help!!!!

alexolivan

Hi forum!

I have been reading around about snort2c table, but havent managed to get my legitimate traffic to pass through.
This is something really annoying and don't know how to solve it.

Basically, everything went smooth until I installed suricata and pfblockerng (mostly, they work good…though)
I have setup top_lis legitimate IP list to ensure pass to no avail...
I have even set a pass all temporary schema... but again no avail.

My dest IP is an amazon ec2 instance which ip is somehow eneterd in snort2c table, as in system logs -> firewall the blocking is listed and related to the snort2c:0 stuff
The problem is I do not know how to control it. (I asume there is some way to control it... or we are in a bug/feature case)

I have cleared disabled suricata, disabled pfblockerng and relaod filters... to no avail, so I feel I'm out of control of my legitimate traffic...
The only way to resume traffic is rebooting  :-\ ...very ugly...

Could you point me how this should be done elegantly?!?!
Or should I declare a bug/feature request?

Thank you very much guys!

alexolivan

Got it partially…. I'm a f...ng noob!!!!  :-[

Diagnostics -> Tables and got it removed...

The problem is how to avoid my legitimate IPs ending there...
I have set  suppress list in pfblocker and pass list in suricata with my IPs.

Either I did something wrong creating my lists or they are ignored...
Anyhow I feel controlling all this is very obscure when comparing with "normal" GUI ruling/NAT.

bmeeks

When you created your Pass List, did you then go to the INTERFACE SETTINGS tab for the Suricata interface and "assign" the new Pass List to the interface?  You have to select the Pass List by name from the drop-down box for PASS LIST.  After selecting and saving the change, you must restart Suricata on the interface.

Also, you cannot use FQDN aliases in a Pass List.  They will be ignored as neither Suricata nor Snort currently support them.

Bill

alexolivan

…Aha....

Let's do it!
will report results...

Thank you very much!

alexolivan

Effectively that part was missing…

The problem but is when users do have dynamic IPs assigned by ISPs... it is impossible to track them or assign them to a white list, as they're dynamic...

But what makes me worry is the feel of no control... the only trace I have is a crude entry on the syslog firewall pointing to snort.2c table as block reason.
My pfblocker or suricata logs do not claim those IPs as alert/blocks... so it is simple and crude firewall block by the sole fact of belonging to snort.2c table... and I do not know what makes an IP to enter this table...

Could you please explain what this table is?

Thank you very much!

pfcode

@alexolivan:

Effectively that part was missing…

The problem but is when users do have dynamic IPs assigned by ISPs... it is impossible to track them or assign them to a white list, as they're dynamic...

But what makes me worry is the feel of no control... the only trace I have is a crude entry on the syslog firewall pointing to snort.2c table as block reason.
My pfblocker or suricata logs do not claim those IPs as alert/blocks... so it is simple and crude firewall block by the sole fact of belonging to snort.2c table... and I do not know what makes an IP to enter this table...

Could you please explain what this table is?

Thank you very much!

I think they were from the SNORT/Suricata Blocked List, if you turn the 'Block Offenders' on.