[Solved] Whitelisted Host Stops Getting White Listed

General questions.
Post Reply
User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

[Solved] Whitelisted Host Stops Getting White Listed

Post by cbrown » May 22nd, 2019, 12:35 pm

It seems that at least one of the entries I have in "Intrusion Prevention System->Whitelisted Hosts" stops getting whitelisted after some period of time. Over the course of several hours of running without issue, the rule that blocks this address starts blocking it again. I will continue to monitor and try to better characterize this problem.

BTW, thanks to the IPFire Team for all your good work,
cbrown
Last edited by cbrown on June 24th, 2019, 1:23 pm, edited 2 times in total.
Image

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: Whitelisted Host Stops Getting White Listed

Post by cbrown » May 22nd, 2019, 2:39 pm

FWIW, the whitelisted host is the repository for “The CINS Army List” used by the timfprogs/ipfblocklist feature. So, the traffic getting blocked is coming from my IPFire box going to the whitelisted host. Again, this seems to work fine for several hours – with the whitelisted site being successfully checked for updates on hourly basis. Then, several hours later, the rule alert starts showing in “IPS Log Viewer” and the traffic is blocked. Once it starts blocking, it continues blocking each hour as the target site is tested for updates.
Image

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: Whitelisted Host Stops Getting White Listed

Post by cbrown » May 22nd, 2019, 3:43 pm

I just did a manual rule update with 'update-ids-ruleset' then checked 'System Logs->Intrusion Prevention'. The log shows:
[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/whitelist.rules
I then ran a manual update for timfprogs/ipfblocklist. The blocklist update failed for CIARMY and the rule blocking access to the whitelisted site is showing in 'IPS Log Viewer'.

After deleting the target from whitelist, re-adding it, and then clicking the save button on 'Intrusion Prevention System", the whitelist processing resumed working properly -- I was able to manually update the blocklist with data from the CIARMY site without error; without blocking / without alert in IPS Logs.

It seems that when the rules get updated, the whitelisted site stops getting whitelisted
.
Image

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: Whitelisted Host Stops Getting White Listed

Post by TimF » May 22nd, 2019, 7:26 pm

It looks like this is a genuine error - I suggest you raze a ticket in Bugzilla.

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: Whitelisted Host Stops Getting White Listed

Post by cbrown » May 22nd, 2019, 10:01 pm

Image

Post Reply