pfSense Support Subscription

Author Topic: Snort passlist not read after adding FQDN to alias  (Read 75 times)

0 Members and 1 Guest are viewing this topic.

Offline cyberzeus

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Snort passlist not read after adding FQDN to alias
« on: December 04, 2017, 04:55:11 pm »
Setup
  • pfSense: v2.4.1
  • Snort: v3.2.9.5_3

Issue

After adding an FQDN entry to an alias then used to define a passlist, the alias portion of the passlist is silently ignored.  Steps to reproduce are shown below.

I understand that passlists do not support FQDNs however, the system should at least throw some kind of error or better yet, maybe just read the alias and ignore the invalid entries. The current behavior is possibly the worst of all in that the silent ignore leaves the user thinking the passlist is being employed when in reality it is not thereby creating a precarious situation where one could get locked out of their own system.

Steps to reproduce
  • Create an alias with a few IP addresses.
  • Create a passlist that references the above alias.
  • Go to the desired interface config and set it to use the above passlist.
  • Click the View List button to confirm the passlist is being read as expected.
  • Save changes and Restart the interface.
  • Add an FQDN to the alias previously created - be sure to Apply after saving changes.
  • Go to the interface config where the passlist was installed and click the View List button to check the passlist.  It should no longer appear as expected - i.e. the alias portion of the list is ignored.
  • Remove the FQDN just added - be sure to Apply after saving changes.
  • Go to the interface config where the passlist was installed and click the View List button to check the passlist.  The list should be read as expected.
NOTE: The issue occurs when the FQDN is saved as opposed to when those changes are applied (i.e. using the Apply button) as one might expect.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +819/-0
    • View Profile
Re: Snort passlist not read after adding FQDN to alias
« Reply #1 on: December 04, 2017, 09:01:17 pm »
The code originally threw up an error when an FQDN alias was used.  Maybe that logic got lost when the GUI code was converted over to the Bootstrap interface in pfSense.  I will need to dig into it and see why the error is not flagged when saving the Pass List edit with an FQDN alias.

One possibilty is that if the aliases are nested (meaning actual IP addresses mixed in with an FQDN alias) the code is getting tripped up.  Just out of curiosity, have you tried using a single FQDN alias (in other words, no mixed IP addresses in with it) to see if that generates an error when saving the edited Pass List?

Bill