Snort Alert list explanation

icoso

I am new to using Snort in a Netgate router with pfSense.

In the Snort settings under alerts I am seeing notice like this:
2025-09-08
16:34:17 1 UDP Attempted User Privilege Gain 37.60.141.158
47167 195.252.###.###
9034 1:58853
SERVER-OTHER RealTek UDPServer command injection attempt

Does this mean that someone from 37.60.141.158 tried to login to my router or is trying to log in to my router? Does SNORT block this attempt? or How do I block this attempt? There is nothing showing up in my BLOCKED list.

Will snort ONLY block these IP's if I have "Block Offenders" checked? If yes, should I use legacy mode or inline mode? My understanding is that if I use legacy mode all rules will be enabled and any alerts will be automatically blocked right? If I use inline mode, then NO rules will be automatically blocked and I would have to enable the action for that rule for it to be blocked, right?

If I use inline mode, how do I enable a rule? Right now I just have a yellow triangle under the action for this rule.

How do I know which rules is snort using? Under WAN Categories, If I choose balance, NONE of the rulesets (Categories) shown at the bottom are checked?

Here is another alert that I m wondering about:
2025-09-08
08:38:21 3 Generic Protocol Command Decode 97.78.###.###
24.172.###.###
123:8
(spp_frag3) Fragmentation overlap

The source IP 97.78.###.### is my main office IP address and the Destination IP 24.172.###.### is my branch office. I'm not sure what this is and I definitely don't want this data being blocked by SNORT, so would this be a good reason to NOT use legacy mode in the Blocked Offenders section?

SteveITS

@icoso first of all don’t block anything until you have your setup straight.

If Snort is running on WAN then be aware since it runs outside the firewall it will scan packets the firewall will drop.

Yes you’d need to enable blocking.

I suggest legacy mode to start. It scans a copy of each packet. It’s much easier to get started and you don’t have to worry about driver issues.

The rules you enable are up to you. For instance if you don’t host a web server the web server ruleset is kind of pointless.

Gertjan

@icoso

Added to this :

@SteveITS said in Snort Alert list explanation:

If Snort is running on WAN then be aware since it runs outside the firewall it will scan packets the firewall will drop.

If your WAN IP can be reached by everybody (== the entire internet) then having Snort 'listening' on WAN is a not a good idea. What would happen when 'some one' sends you a load of packets that were known in advance to trigger your snort ? So every packet will kick Snort into action, eating away loads of CPU cycles and logging a lot of lines = disk space.
'Some one' doing nearly nothing, and you will be stressing your own firewall.

The short conclusion : never ever Snort on WAN.
The main conclusion : Snort on WAN can be done, but keep a permanent eye on it.

Btw : the default WAN behavior is "block" anyway.

edit :
You might say : I activate Blocking mode, so every suspected traffic will hit 'the wall'.
Afaik, snort places itself in front of the firewall, so it still 'sees' the traffic, reacts upon it, decide to block the IP, finds the IP was already blocked etc.