SNORT blocking friendly IP alias
-
Hi Bill
Just wanna let you know that the friendly IP alias gets blocked in snort desapite having it on the pass list tab.
-
Is the friendly IP alias a static IP, or does it perhaps change now and then? You can physically verify the actual contents of the Pass List two ways. First, on the INTERFACE SETTINGS tab for the interface in Suricata, scroll down and click the View List button beside the PASS LIST drop-down. That will open a pop-up browser window showing the IP addresses in the currently selected list (the one selected in the drop-down). The other method is to browse via the Diagnostics > Edit File menu to /usr/pbi/suricata-amd64/etc/suricata/ and then down to the specific interface path. Once there, open up the pass list file. It will have the same name as what is selected in the drop-down on the INTERFACE SETTINGS tab.
Another frequent oops committed by users is forgetting to actually assign a PASS LIST to the Suricata interface on the INTERFACE SETTINGS tab. You select one in the drop-down, then save, and then restart Suricata on the interface.
Bill
-
I posted a different thread about Suricata not detecting a WAN VIP in its Home Net, and this caught my eye. Once I created my own Home Net alias and list, the pass list now starts out:
10.15.55.1/32
10.15.55.42/32
10.15.55.43
10.99.99.0/24 (the LAN subnet)
…The VIP (10.15.55.43) and anything else I've set on the pass list alias in pfSense show without the "/32"? May not be an issue but it caught my eye. We haven't enabled blocking yet so I don't know if it would be blocked, and as I understand it the alerts still show unless blocking is turned on.
-
Does it make a difference that its Snort that in question??
Is the friendly IP alias a static IP, or does it perhaps change now and then? You can physically verify the actual contents of the Pass List two ways. First, on the INTERFACE SETTINGS tab for the interface in Suricata, scroll down and click the View List button beside the PASS LIST drop-down. That will open a pop-up browser window showing the IP addresses in the currently selected list (the one selected in the drop-down). The other method is to browse via the Diagnostics > Edit File menu to /usr/pbi/suricata-amd64/etc/suricata/ and then down to the specific interface path. Once there, open up the pass list file. It will have the same name as what is selected in the drop-down on the INTERFACE SETTINGS tab.
Another frequent oops committed by users is forgetting to actually assign a PASS LIST to the Suricata interface on the INTERFACE SETTINGS tab. You select one in the drop-down, then save, and then restart Suricata on the interface.
Bill
-
Does it make a difference that its Snort that in question??
Well that's what chronic low sleep will do to you. :) Actually I suspect the two packages share a lot of code; for instance the popups for viewing the lists in the Suricata plugin all show "Snort" e.g. "Snort: HOME_NET Viewer."
-
Does it make a difference that its Snort that in question??
My bad on giving the Suricata path instead of Snort. The ideas are the same as the blocking technology is essentially identical in both packages. In the paths I listed, just replace "suricata" with "snort" and everything else is the same.
I am mulling over some options for bettering the operation of the PASS LIST (and the automatic default pass list) in both Snort and Suricata. Might even be able to support aliases at some level, but still thinking that one through for options that won't adversely impact performance.
Bill
-
Thanks man! Greatly appreciated!