Is pfBlocker and Snort compatable?
-
Newbie question:
Is pfBlocker compatable with Snort…specifically GeoIP?
- When I block select countries specifically "TopSpammers", Africa, Asia, South America and North America(except USA and Canada) I get an error message when I update rule set i.e. "Result: Failed", specifically my "Snort OpenAppID Detectors".
I disable pfBlocker and the rules are updated??
Any thoughts on how to make these programs coexist? Are there countries I should not block so they coexist?
Thank you all kindly...
(I have a few other pfBlocker questions but thought I would address them separately...)
-
Looks at the Alerts Tab and suppress the IP or the Domain name that is blocked when pfblockerNG is active
-
Do I go to the IPv4 tab, hit the "+" sign, create alias and add IP to "IPv4 Lists"?
Thank you again..
-
Not the IPV4, the Firewall / pfBlockerNG / Alerts tab
-
I am on the Firewall/pfBlocker/Alerts tab but can't see where I can suppress an IP?
Is there a setting in pfBlocker(maybe the pfBlocker General tab) that will allow me to suppress an IP for GeoIP?
Thanks again for the help..
-
When you see this click on it to get more information about the pfblockerNG functionalities.
Did you enabled suppression under Firewall / pfBlockerNG / IP ?
Alerts can be suppressed using the '+' icon in the Alerts tab and IPs are added to the IPv4 suppression custom list.
For GeoIP/Blocked IPs in a CIDR other than /32 or /24, will need a 'Whitelist alias' w/ a List Action: 'Permit Outbound' Firewall rule.
Only 'Deny' type Aliases can be suppressed! -
I enabled "Suppression" under Firewall/pfBlockerNG/General…however I do not know where "Firewall / pfBlockerNG / IP" is...not sure if that is the same?
-
Well there is not suppression setting under Firewall / pfBlockerNG / General in the Development version. It's in the Firewall / pfBlockerNG / IP tab
So maybe your tabs are different then mine. :-[ -
Seems basic but I cannot find a Firewall/pfblockerng/IP tab? See my screenshots attached.
I did find that a pfblockerNGSuppress alias was added however it is currently empty…is that where a suppress IPs go?
Might be a different screen to yours and pfBlocker doesn't work with a sg2440 running pfsense 2.3.4?
-
As I stated, I am using a "later/under development" of pfblockerNG, so your tab are quite different from my version.
When you can suppress a IP , there is a blue "+" icon on the left of the IP.
So in you case, if you want to "Whitelist" the IPs without the "+" icon, you have to follow the instructions:
For GeoIP/Blocked IPs in a CIDR other than /32 or /24, will need a 'Whitelist alias' w/ a List Action: 'Permit Outbound' Firewall rule.
Only 'Deny' type Aliases can be suppressed!But try to download the rules with a browser https://www.snort.org/downloads/#rule-downloads
the IP used on my side is 104.16.63.75Maybe it's the domain name that is blocked.
-
Thanks RonpfS…I appreciate the help!
-
I believe that the Snort OpenAppID Detector Feed is based in South America…
-
I believe that the Snort OpenAppID Detector Feed is based in South America…
Yep, Brazil… this is the one you helped me with. I don't use the country lists for that region.
TLD blacklist
br
edu.brTLD whitelist
www.ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
thor.ifs.edu.br|200.133.48.21 # SNORT OpenAppID rule