Snort Fatal Error with passlist-whitelist alias



  • OK, so I have snort running but I ran into a issue where when I try and add a alias I've created to the pass list under Services -> Snort -> Pass List
    It causes snort to crash.
    All addresses in the aliase are just that, addresses with the appropriate subnet for that address. No FQDN's

    The log is as such…

    Jan 24 00:05:43	snort[81570]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran
    Jan 24 00:05:43	SnortStartup[81207]: Snort START
    snort[55372]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_15257_igb4/rules/snort.rules(2256) Negated IP ranges that are more general than non-negated ranges are not allowed. Consider inverting the logic: 
    

    What does it mean "Consider inverting the logic?
    I really need to white list these addresses on two interfaces.
    This is a dual internet dual LAN setup with a vlan.

    It is very well possible I'm not putting the whitelist in the correct location. If that is the case where should it be setup?



  • bump, still having this problem. I'm using IP addresses with the Subnet. No FQDNs and there are IPs I need to whitelist. I have a whole list of IP ranges that need to be whitelisted.



  • Your IP address definitions are incorrect.  The error message is essentially telling you what's wrong.  You have "not this IP" ranges that are more general than your "this IP" ranges.  What you need to do is invert your ranges.  Make your "this IP" range more inclusive than your "not this IP" range.  Posting your rule with the actual IP address ranges might help us troubleshoot this with you.  The rule is on line 2256 of the file /usr/pbi/snort-amd64/etc/snort/snort_15257_igb4/rules/snort.rules

    Bill


Log in to reply