Snort Alert list explanation

icoso

I am new to using Snort in a Netgate router with pfSense.

In the Snort settings under alerts I am seeing notice like this:
2025-09-08
16:34:17 1 UDP Attempted User Privilege Gain 37.60.141.158
47167 195.252.###.###
9034 1:58853
SERVER-OTHER RealTek UDPServer command injection attempt

Does this mean that someone from 37.60.141.158 tried to login to my router or is trying to log in to my router? Does SNORT block this attempt? or How do I block this attempt? There is nothing showing up in my BLOCKED list.

Will snort ONLY block these IP's if I have "Block Offenders" checked? If yes, should I use legacy mode or inline mode? My understanding is that if I use legacy mode all rules will be enabled and any alerts will be automatically blocked right? If I use inline mode, then NO rules will be automatically blocked and I would have to enable the action for that rule for it to be blocked, right?

If I use inline mode, how do I enable a rule? Right now I just have a yellow triangle under the action for this rule.

How do I know which rules is snort using? Under WAN Categories, If I choose balance, NONE of the rulesets (Categories) shown at the bottom are checked?

Here is another alert that I m wondering about:
2025-09-08
08:38:21 3 Generic Protocol Command Decode 97.78.###.###
24.172.###.###
123:8
(spp_frag3) Fragmentation overlap

The source IP 97.78.###.### is my main office IP address and the Destination IP 24.172.###.### is my branch office. I'm not sure what this is and I definitely don't want this data being blocked by SNORT, so would this be a good reason to NOT use legacy mode in the Blocked Offenders section?

SteveITS

@icoso first of all don’t block anything until you have your setup straight.

If Snort is running on WAN then be aware since it runs outside the firewall it will scan packets the firewall will drop.

Yes you’d need to enable blocking.

I suggest legacy mode to start. It scans a copy of each packet. It’s much easier to get started and you don’t have to worry about driver issues.

The rules you enable are up to you. For instance if you don’t host a web server the web server ruleset is kind of pointless.

Gertjan

@icoso

Added to this :

@SteveITS said in Snort Alert list explanation:

If Snort is running on WAN then be aware since it runs outside the firewall it will scan packets the firewall will drop.

If your WAN IP can be reached by everybody (== the entire internet) then having Snort 'listening' on WAN is a not a good idea. What would happen when 'some one' sends you a load of packets that were known in advance to trigger your snort ? So every packet will kick Snort into action, eating away loads of CPU cycles and logging a lot of lines = disk space.
'Some one' doing nearly nothing, and you will be stressing your own firewall.

The short conclusion : never ever Snort on WAN.
The main conclusion : Snort on WAN can be done, but keep a permanent eye on it.

Btw : the default WAN behavior is "block" anyway.

edit :
You might say : I activate Blocking mode, so every suspected traffic will hit 'the wall'.
Afaik, snort places itself in front of the firewall, so it still 'sees' the traffic, reacts upon it, decide to block the IP, finds the IP was already blocked etc.

icoso

@Gertjan Thank you for the info. Why then would I want to run Snort at all if I don't want to run it on the WAN port? I thought it was the IDS/IPS for detecting and preventing intrusions. Would I only run it on the LAN ports? If I only run it on the LAN ports wouldn't that only prevent my users from going outbound to certain IP's?

SteveITS

@icoso it will block both. There is a choice in the GUI as I recall.

SteveITS

@icoso also internal IPs aren’t blocked by default

icoso

@SteveITS I asked three different questions in my last post. I'm sorry but I don't understand which one you're answering. I'm trying to figure out why would I want to run Snort at all if I don't want to run it on my WAN ports according to Gertjan. Why do I even want to run Snort on my LAN ports?

Gertjan

@icoso said in Snort Alert list explanation:

Why then would I want to run Snort at all if I don't want to run it on the WAN port

Run snort on the traffic that made past the exiting 'pass' rules (like NAT IPv4) on your WAN and winds up on the LAN. Snort your LAN, so it can see the traffic that goes to your internal LAN devices.

@icoso said in Snort Alert list explanation:

I thought it was the IDS/IPS for detecting

IDS/IPS only makes sense if you actually decode the packet data pay load, as most (like 99 %) traffic is TLS encrypted. For that to happen, you have to do MITM. You have to use a proxy, and make all your LAN devices that should use this proxy, "proxy aware".

If you want to filter on IPs, no need for snort, the firewall with pfBlockerng and some list with 'bad known IP' can do the trick fats and easy.

@icoso said in Snort Alert list explanation:

If I only run it on the LAN ports wouldn't that only prevent my users from going outbound to certain IP's?

Snort would, I guess, if it see bad ports (if such a thing exists) or bad IPs or some other 'bad' packet header info, block the IP - on the WAN interface firewall list (or LAN interface firewall list).

Be aware that, IMHO, IDS/IPS was a nice feature back in the good old days, when all traffic was visible. These days are really over now, all your traffic is now TLS. So pfSense, as a router (firewall),a nd any other router on the traffic's path can't see the interesting part of the traffic : the payload.
We wanted privacy, now we have privacy.
No exceptions are possible, and ones you understand what this TLS is all about, you'll understand why

icoso

@Gertjan said in Snort Alert list explanation:

Run snort on the traffic that made past the exiting 'pass' rules (like NAT IPv4) on your WAN and winds up on the LAN. Snort your LAN, so it can see the traffic that goes to your internal LAN devices.

How do I tell snort to run/listen only between the WAN ports and the LAN port or "after" the WAN port?

SteveITS

@icoso said in Snort Alert list explanation:

If I only run it on the LAN ports wouldn't that only prevent my users from going outbound to certain IP's?

I think you're misunderstanding how it works. In legacy mode it will check for "bad" packets going past the router, and add the "bad" IP to a table/alias, and the firewall will block packets to/from that table. It is not directional in the sense of "it's on LAN so only watches outbound."

Running it on LAN also identifies which internal device triggered the rule because otherwise on WAN it is after NAT, since it's outside the firewall.

You can run it on WAN, sure. Some do if they have a lot of internal interfaces and don't want that many Snort/Suricata processes running. It's a tradeoff of "scanning packets that will never actually arrive" vs convenience/RAM usage.

Here is the setting I mentioned in Suricata; the packages are similar to maybe Snort has it also:

However, on the Snort interface settings click the View List button by "IP Pass List" and you'll see which IPs are ignored by default.