Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Fatal Error with passlist-whitelist alias

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 981 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Visseroth
      last edited by

      OK, so I have snort running but I ran into a issue where when I try and add a alias I've created to the pass list under Services -> Snort -> Pass List
      It causes snort to crash.
      All addresses in the aliase are just that, addresses with the appropriate subnet for that address. No FQDN's

      The log is as such…

      Jan 24 00:05:43	snort[81570]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
      Jan 24 00:05:43	SnortStartup[81207]: Snort START
      snort[55372]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_15257_igb4/rules/snort.rules(2256) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: 
      

      What does it mean "Consider inverting the logic?
      I really need to white list these addresses on two interfaces.
      This is a dual internet dual LAN setup with a vlan.

      It is very well possible I'm not putting the whitelist in the correct location. If that is the case where should it be setup?

      1 Reply Last reply Reply Quote 0
      • V
        Visseroth
        last edited by

        bump, still having this problem. I'm using IP addresses with the Subnet. No FQDNs and there are IPs I need to whitelist. I have a whole list of IP ranges that need to be whitelisted.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Your IP address definitions are incorrect.  The error message is essentially telling you what's wrong.  You have "not this IP" ranges that are more general than your "this IP" ranges.  What you need to do is invert your ranges.  Make your "this IP" range more inclusive than your "not this IP" range.  Posting your rule with the actual IP address ranges might help us troubleshoot this with you.  The rule is on line 2256 of the file /usr/pbi/snort-amd64/etc/snort/snort_15257_igb4/rules/snort.rules

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.