|
g4m3c4ck
|
 |
« on: March 16, 2010, 10:01:28 am » |
|
I blocked my VOIP provider on accident with snort. I had 7 day block time set for snort. When I whitelisted the IPs they still remained blocked.  Could there be a way to have an unblock icon by the blocked IPs in the list or to get the package to check the whitelisted addresses on save and remove blocked IPs? |
|
|
|
|
Logged
|
|
|
|
|
|
g4m3c4ck
|
|
« Reply #1 on: March 16, 2010, 03:43:19 pm » |
|
Thanks James,
You do a great deal for the pfsense community especially when it comes to packaging snort!
The IP was listed in /var/db/whitelist
Another little bug I noticed is with the rules page. The drop down does not seem to work after clicking on a rule URL from the categories page. Not sure if you knew or not. Just an FYI.
I am running 2.8.4.1_5 pkg v.1.7
1.2.3-RELEASE
|
|
|
|
|
Logged
|
|
|
|
|
|
TreeTopFlyer
|
|
« Reply #2 on: March 16, 2010, 06:31:26 pm » |
|
I'm running the same version of Snort and my blocked page has the ability to remove a blocked IP.
Edit: Actually, under "Installed Packages" it says I have 2.8.4.1_5 pkg ver 1.7. On the Snort settings page it shows I have 2.8.4.1_5 pkg ver 1.6 . . . so I'm not really sure what version is correct.
|
|
|
|
« Last Edit: March 16, 2010, 06:35:38 pm by TreeTopFlyer »
|
Logged
|
|
|
|
|
|
romegas
|
|
« Reply #3 on: April 01, 2010, 09:39:38 am » |
|
When I whitelisted the IPs they still remained blocked. I had a similar problem, an ip in the whitelist was blocked. I had to [Save] the snort configuration (on snort's main page), and remove this ip from the [Blocked] list, then it was ok, the ip was allowed. |
|
|
|
|
Logged
|
PFSense : 1.2
Squid : 2.6.18.1_08
SquidGuard : 1.2.0_1-2
|
|
|
|
|
smknjoe
|
|
« Reply #4 on: April 18, 2010, 03:17:15 pm » |
|
I have several IPs on my LAN that are being blocked even though I have added the entire subnet (192.168.1.0/24) to the whitelist. If I manually add each IP it looks like it works (so far.) Does the addition of a entire network not function? Will I have to add each and every IP I want whitelisted? FYI: all entries do show up in /var/db/whitelist and I have Snort 2.8.5.3 pkg v. 1.21.
|
|
|
|
|
Logged
|
|
|
|
|
|
jamesdean
|
|
« Reply #5 on: April 18, 2010, 06:17:58 pm » |
|
I have several IPs on my LAN that are being blocked even though I have added the entire subnet (192.168.1.0/24) to the whitelist. If I manually add each IP it looks like it works (so far.) Does the addition of a entire network not function? Will I have to add each and every IP I want whitelisted? FYI: all entries do show up in /var/db/whitelist and I have Snort 2.8.5.3 pkg v. 1.21.
Im working on it.... James |
|
|
|
|
Logged
|
PLease post your Pfsense Version and Snort Version when asking questions. Thank you.
|
|
|
|
|
smknjoe
|
|
« Reply #6 on: April 18, 2010, 09:10:24 pm » |
|
Im working on it.... Awesome, I really appreciate your help. 1.2.3-RELEASE Snort 2.8.5.3 pkg v. 1.21 |
|
|
|
|
Logged
|
|
|
|
|
|
smknjoe
|
|
« Reply #7 on: April 19, 2010, 10:47:22 am » |
|
Well, it looks like it blocks single LAN IPs (192.168.1.2 192.168.1.5) that are whitelisted also. 1.2.3-RELEASE Snort 2.8.5.3 pkg v. 1.21 |
|
|
|
|
Logged
|
|
|
|
|
|
seanlee
|
|
« Reply #8 on: April 28, 2010, 03:48:08 am » |
|
It ignores my whitelist too, no matter how many times I save/apply.
I've tried:
192.168.1.0/24
192.168.1.1/32
192.168.1.1
pfsense 1.2.3-RELEASE
Snort 2.8.5.3 pkg v. 1.22
|
|
|
|
|
Logged
|
|
|
|
|
|
jamesdean
|
|
« Reply #9 on: April 28, 2010, 04:12:57 am » |
|
After you create a whitelist or modify a whitelist you need to save your settings in the interface edit tab and restart the interface that is using the whitelist.
Only CIDR blocks and ips are required.
This will not work 192.168.1.1/32.
USe only ips 192.168.1.1 or blocks 192.168.1.0/24.
James
|
|
|
|
« Last Edit: April 28, 2010, 04:23:43 am by jamesdean »
|
Logged
|
PLease post your Pfsense Version and Snort Version when asking questions. Thank you.
|
|
|
|
|
seanlee
|
|
« Reply #10 on: April 28, 2010, 11:58:26 am » |
|
Thanks I will try this.
I noticed that the IP's I submit for my whitelist are nowhere to be found in /usr/local/etc/snort/whitelist/mylist.
I have to edit the file manually from the shell using VI. If I follow your procedure after I edit the file, then it seems to work.
The file is rw-rw---- and user/group is snort/snort.
-Sean
|
|
|
|
|
Logged
|
|
|
|
|
|
goremache
|
|
« Reply #11 on: May 12, 2010, 06:13:57 am » |
|
hi all,
Frist, thanks James for a very very nice tool !!!. Many thanks.
Second, I'm having the same problem. The whitelist works for individual ips but not for block (x.x.x.x/24 entry). I've checked also the /usr/local/etc/snort/whitelist/mylist and it has the settings entered in the GUI. I have also restarted the snort service after each modify.
Please help me ... because entering each host ip is not an option.
Thanks a lot !!!
|
|
|
|
|
Logged
|
|
|
|
|
|
goremache
|
|
« Reply #12 on: May 12, 2010, 06:40:06 am » |
|
sorry ... I forgot the used versions...
snort 2.8.5.3 pkg v. 1.25
pfsense 1.2.3-RELEASE
thanks
|
|
|
|
|
Logged
|
|
|
|
|
|
jamesdean
|
|
« Reply #13 on: May 12, 2010, 02:44:35 pm » |
|
sorry ... I forgot the used versions...
snort 2.8.5.3 pkg v. 1.25
pfsense 1.2.3-RELEASE
thanks
I have to recode the ips plugin for snort so that cidr blocks can be used again. I am really busy with payed projects at the moment and will not be free for a month or so. James |
|
|
|
|
Logged
|
PLease post your Pfsense Version and Snort Version when asking questions. Thank you.
|
|
|
|
|
goremache
|
|
« Reply #14 on: May 13, 2010, 04:05:24 am » |
|
It's ok ... ...thanks for the support and looking forward for the new version  |
|
|
|
|
Logged
|
|
|
|
|
|
pfSense Forum
