Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Passlist IPs still blocking

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heliop100
      last edited by

      Hi

      I setup one passlist, set on interface, restart the interface.
      If I click on view list the IPs are there, but still blocking.
      The passlist have networks on CIDR format.

      Is it possible pass CIDR networks on Snort PassList?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Yes, CIDR networks are accepted on the PASS LIST.  When you say "still blocking", have you removed the original blocks?  You need to go to the BLOCKED tab and delete any blocked IPs that are now on a PASS LIST.  They should not come back if things are configured properly.

        Can you share your PASS LIST?  Also check the system log to see if any error messages were recorded indicating Snort may have a problem parsing one or more lines in the PASS LIST file.

        Bill

        1 Reply Last reply Reply Quote 0
        • H
          heliop100
          last edited by

          Hi,

          Yes, I clean all blocks after restart Snort.

          Don't find any error on logs, but block log:

          Aug 17 18:06:34 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1224 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 208.70.91.18:51503 -> 186.xxx.xxx.xxx:25
          Aug 17 18:06:34 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1224 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 208.70.91.18:51503 -> 186.xxx.xxx.xxx:25

          Aug 17 17:12:55 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1097 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.10.67.160:50955 -> 186.xxx.xx.xxx:25
          Aug 17 17:12:55 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1097 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.10.67.160:50955 -> 186.xxx.xx.xxx:25

          My passlist:

          5.10.67.0/24 94.186.192.0/24
          174.36.154.0/24
          192.69.16.0/24
          192.69.17.0/24
          192.69.18.0/24
          192.69.19.0/24
          208.43.37.0/24
          208.70.88.0/24
          208.70.89.0/24
          208.70.90.0/24
          208.70.91.0/24
          177.72.255.0/24
          186.233.243.0/24
          186.233.244.0/22
          200.144.0.0/22
          200.144.0.0/20
          200.144.0.0/19
          200.144.4.0/22
          200.144.8.0/22
          200.144.12.0/22
          200.144.16.0/20
          200.144.24.0/22
          200.144.74.0/23
          201.55.0.0/19
          201.55.0.0/18
          201.55.16.0/22
          201.55.32.0/19
          201.55.60.0/22
          177.92.208.0/20
          200.155.80.0/23
          200.155.82.0/23
          200.155.84.0/23
          200.155.86.0/24
          200.155.87.0/24
          200.155.88.0/23
          200.155.90.0/23
          200.155.92.0/24
          200.155.93.0/24
          200.155.94.0/23
          66.159.106.0/24
          66.159.107.0/24

          Thanks.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Sorry to pester you with more questions, but I need to be sure I am clear on some of the facts –

            Are you getting actual blocks reappearing on the BLOCKED tab and traffic to/from those hosts is actually interrupted, or are you just seeing these entries reappear on the ALERTS tab?  I ask because putting an IP on the PASS LIST should prevent blocks from that IP, but it will not prevent future alerts from showing on the ALERTS tab.  When something is on a PASS LIST, the alert still happens, but it does not lead to a block.

            I have folks using Snort with varying levels of experience with both it and pfSense, so please excuse me if my additional questions are insulting your intelligence… :).  Just need to make sure we are using the same terminology and looking in the same places while troubleshooting.

            One other question, are you running Snort on WAN, LAN, somewhere else, or all of the above?  If multiple interfaces, which one is experiencing this particular problem?

            Bill

            1 Reply Last reply Reply Quote 0
            • H
              Halvsvenskeren
              last edited by

              Have you configured this??

              So it uses your suppress list and not the default one?

              snort_suppression.PNG
              snort_suppression.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • R
                rand4505
                last edited by

                Any fix for this yet?  I am having the same issue and its pissing me off, having to completely disable Snort/Surcata due to this, same issue with both.

                1 Reply Last reply Reply Quote 0
                • H
                  heliop100
                  last edited by

                  Very strange!

                  Yes, I setup passlist on interface. And restarted it.
                  Yes, the IPs are on "Blocked" tab.

                  But on 08/17 I edit the alias to ad some other IPs, restarted snort again, and voilá. Now it's working perfectly!!!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.