how to get IP Attacker into the blocklist

ezvink

@steveits
I'm using legacy mode sir, but it doesn't have any effect.

serbus

Hello!

Snort IP rep lists might do what you want.
Check the docs

John

bmeeks

@ezvink said in how to get IP Attacker into the blocklist:

@johnpoz
I saw the video on youtube, sir, who tried to attack using Suricata and added a passlist

I think you completely misunderstood the concept there. A Pass List is used to prevent an IP from being blocked. "Pass" means "to allow", so that means the traffic is not blocked but instead is allowed to pass when the IP is on a Pass List. You would use a Pass List when a rule is triggering for some host (possibly as a false positive), but you do not want that host to be blocked. IP addresses listed on an active Pass List will not be blocked, but they will still show up on the ALERTS tab when the alerting rule triggers.

If you want to block a specific IP, you can always create your own custom rule using the feature on the RULES tab (by selecting "Custom Rules" in the Category drop-down on that tab).

SteveITS

@ezvink Did you happen to click any of the [+] icons on the Alerts tab, to Suppress the alert? If you did then it won't trigger again. You can view that list on the Suppress tab.

ezvink

@bmeeks
I've added a rule with DROP sir to the rules I created in the custom rule, but it's still not in the blockhost tab

ezvink

@steveits
if my attacker's IP has entered the suppress tab, is the IP blocked, sir?

bmeeks

@ezvink said in how to get IP Attacker into the blocklist:

@steveits
if my attacker's IP has entered the suppress tab, is the IP blocked, sir?

No. A suppress list suppresses the alert and therefore any associated block.

SteveITS

@ezvink said in how to get IP Attacker into the blocklist:

if my attacker's IP has entered the suppress tab, is the IP blocked

No.

The suppress list is for alerts that you never want to see again. Meaning, the alert is suppressed. Therefore, never blocked.

If you want to block an attacking IP you don't enter it anywhere. You said you were using Legacy with blocking enabled, so if the attacker triggers an Alert then the IP appears on the Blocks tab.

It sounds like you have created a custom rule. Is the rule being triggered? It is logged on the Alert tab?

ezvink

@steveits
I do not set anything else sir, I just leave the default.

but it doesn't work on the suricata/snort I installed sir, can you help me find the point where the problem is?

ezvink

@ezvink
This is the rule that I added sir, it can be detected and goes to alerts but doesn't go to the blockhost tab

ezvink

after I checked the "block Drop on only" menu, the action symbol changed to DROP before it was still alert even though the rule I added had dropped, and even then the blockhost menu pack remains empty

ezvink

I have followed from this forum too, but still the blockhost tab is empty

johnpoz

@ezvink said in how to get IP Attacker into the blocklist:

but it doesn't work on the suricata/snort I installed sir

Which is it - you don't have both running do you?

You removed the entry from the passlist?

bmeeks

I'm pretty sure your rule is not going to result in a block because of the default Pass List settings when using Legacy Blocking Mode. You have the rule running on the OPT1 interface. That is a locally-attached interface, so all IP addresses on that interface subnet are automatically added to the default Pass List. If the 192.168.3.5 address is also part of a locally-attached network, then it will also be part of the default Pass List. IP addresses covered by a Pass List entry will generate alerts, but will not result in actual blocks.

Post a copy of the current Pass List setting by going to the INTERFACE EDIT tab for the OPT1 interface, scroll down to the Pass List drop-down, then click the View List button out on the right. Post the content of that pop-up dialog. Let's see what IP addresses and subnets are listed on the Pass List currently running on that interface.

ezvink

I rebuilt the VM and this is what the passlist looks like.
Yes, it seems that's where the problem is, indeed, the attacker's IP is included in the passlist.
IP 172.16.120.0/24 is the IP of the attacker
IP 192.168.55.0/24 is the IP of the webserver

ezvink

Then, how is the solution, sir? If I give a network attacker VM that does not originate from Pfsense, attackers cannot access webserver

Cool_Corona

Isnt this debate intended to pinpoint how to add an attacking IP (outside source) to a blocklist?

So the list gets bigger and bigger every day, so they eventually run out of IP4 and then the admin can see who and whats on the list?

ezvink

@cool_corona
Yes, that's right, sir, but I haven't found a way to get the attacker's IP (outside source) to connect to the webserver

Cool_Corona

@ezvink why would you do that?

ezvink

@cool_corona said in how to get IP Attacker into the blocklist:

why would you do that?

this is part of my final project sir