Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort Passlist IPs still blocking

    IDS/IPS
    4
    7
    1960
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heliop100 last edited by

      Hi

      I setup one passlist, set on interface, restart the interface.
      If I click on view list the IPs are there, but still blocking.
      The passlist have networks on CIDR format.

      Is it possible pass CIDR networks on Snort PassList?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Yes, CIDR networks are accepted on the PASS LIST.  When you say "still blocking", have you removed the original blocks?  You need to go to the BLOCKED tab and delete any blocked IPs that are now on a PASS LIST.  They should not come back if things are configured properly.

        Can you share your PASS LIST?  Also check the system log to see if any error messages were recorded indicating Snort may have a problem parsing one or more lines in the PASS LIST file.

        Bill

        1 Reply Last reply Reply Quote 0
        • H
          heliop100 last edited by

          Hi,

          Yes, I clean all blocks after restart Snort.

          Don't find any error on logs, but block log:

          Aug 17 18:06:34 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1224 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 208.70.91.18:51503 -> 186.xxx.xxx.xxx:25
          Aug 17 18:06:34 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1224 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 208.70.91.18:51503 -> 186.xxx.xxx.xxx:25

          Aug 17 17:12:55 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1097 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.10.67.160:50955 -> 186.xxx.xx.xxx:25
          Aug 17 17:12:55 snort[27469]: [124:2:1] (smtp) Attempted data header buffer overflow: 1097 chars [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 5.10.67.160:50955 -> 186.xxx.xx.xxx:25

          My passlist:

          5.10.67.0/24 94.186.192.0/24
          174.36.154.0/24
          192.69.16.0/24
          192.69.17.0/24
          192.69.18.0/24
          192.69.19.0/24
          208.43.37.0/24
          208.70.88.0/24
          208.70.89.0/24
          208.70.90.0/24
          208.70.91.0/24
          177.72.255.0/24
          186.233.243.0/24
          186.233.244.0/22
          200.144.0.0/22
          200.144.0.0/20
          200.144.0.0/19
          200.144.4.0/22
          200.144.8.0/22
          200.144.12.0/22
          200.144.16.0/20
          200.144.24.0/22
          200.144.74.0/23
          201.55.0.0/19
          201.55.0.0/18
          201.55.16.0/22
          201.55.32.0/19
          201.55.60.0/22
          177.92.208.0/20
          200.155.80.0/23
          200.155.82.0/23
          200.155.84.0/23
          200.155.86.0/24
          200.155.87.0/24
          200.155.88.0/23
          200.155.90.0/23
          200.155.92.0/24
          200.155.93.0/24
          200.155.94.0/23
          66.159.106.0/24
          66.159.107.0/24

          Thanks.

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            Sorry to pester you with more questions, but I need to be sure I am clear on some of the facts –

            Are you getting actual blocks reappearing on the BLOCKED tab and traffic to/from those hosts is actually interrupted, or are you just seeing these entries reappear on the ALERTS tab?  I ask because putting an IP on the PASS LIST should prevent blocks from that IP, but it will not prevent future alerts from showing on the ALERTS tab.  When something is on a PASS LIST, the alert still happens, but it does not lead to a block.

            I have folks using Snort with varying levels of experience with both it and pfSense, so please excuse me if my additional questions are insulting your intelligence… :).  Just need to make sure we are using the same terminology and looking in the same places while troubleshooting.

            One other question, are you running Snort on WAN, LAN, somewhere else, or all of the above?  If multiple interfaces, which one is experiencing this particular problem?

            Bill

            1 Reply Last reply Reply Quote 0
            • H
              Halvsvenskeren last edited by

              Have you configured this??

              So it uses your suppress list and not the default one?


              1 Reply Last reply Reply Quote 0
              • R
                rand4505 last edited by

                Any fix for this yet?  I am having the same issue and its pissing me off, having to completely disable Snort/Surcata due to this, same issue with both.

                1 Reply Last reply Reply Quote 0
                • H
                  heliop100 last edited by

                  Very strange!

                  Yes, I setup passlist on interface. And restarted it.
                  Yes, the IPs are on "Blocked" tab.

                  But on 08/17 I edit the alias to ad some other IPs, restarted snort again, and voilá. Now it's working perfectly!!!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy