Snort Pass Lists

Pass Lists are lists of IP addresses that Snort should never block. Pass lists can be created and managed on the Pass Lists tab. When an IP address is listed on a Pass List, Snort will never insert a block on that address even when malicious traffic is detected.

To create a new Pass List, click the fa-plus icon. To edit an existing Pass List, click the fa-pencil icon. To delete a Pass List, click the fa-trash icon. Note that a Pass List cannot be deleted if it is currently assigned to one or more Snort interfaces.

../../_images/snortpasslists.png

A default Pass List is automatically generated by Snort for every interface, and this default list is used when no other list is specified. Assign Pass Lists to an interface on the Interface Settings tab.

Customized Pass Lists can be created and then assigned to an interface. This might be needed when trusted external hosts are needed that are not located on networks directly connected to the firewall. To add external hosts in this manner, first create an Alias under Firewall > Aliases and then assign that alias to the Assigned Aliases: field. In the example shown below, the alias “Friendly_ext_hosts” has been assigned. This alias would contain the IP addresses of the trusted external hosts.

When creating a custom Pass List, leave all the auto-generated IP addresses checked in the Add auto-generated IP addresses section. Not selecting the checkboxes in this section can lead to blocking of critical addresses including the firewall interfaces themselves. This could result in being locked out of the firewall over the network! Only uncheck boxes in this section when a valid need is present.

../../_images/snortpasslistedit.png

Click the ALIASES button to open a window showing previously defined aliases for selection. Remember to click SAVE to save changes.

Note

Remember that simply creating a Pass List is only the first step! Go to the Interface Settings tab for the Snort interface and assign the newly created Pass List as shown below. After assigning and saving the new Pass List, restart Snort on the affected interface to pick up the change.

../../_images/snortassignpasslist.png