Why SNORT do not block IP ?

magicbret · Feb 27, 2009, 9:51 AM

Hi all,

I recently install pfsense lastest version, and SNORT activated. I was before on Smoothwall and saw IP blocked the day after the install. But now, i can't see IP blocked with pfSense. I don't believe that nobody is aggressing my firewall :-)

If i select icmp rules to be enabled, i can see some blocked IP. But each time i try to connect to a site, i can see after a couple of minutes the IP blocked by SNORT. It means that blocking works.

Another problem, each time i modifiy something in SNORT, the service stop and don't restart, even if i click on the start button, the message "Snort have been started" is present, but service don't run.

Is this an issue or a missing configuration ?

Thanks for your help

Julien

jamesdean · Feb 27, 2009, 10:22 PM

What version of snort are you running and what pfsense version ?

magicbret · Feb 28, 2009, 12:38 PM

Hi,

pfSense 1.2.2 and SNORT 2.8.2.6.

magicbret · Feb 28, 2009, 3:36 PM

OK, i found the solution in the forum, it seems that there is a ; after a & and it must be deleted in the /usr/local/rc.d/snort.sh file. But after a couple of hours, i still don't see any alert and any blocked IP (and it was a hudge with SmoothWall).

Is there someone who found the solution to this issue ?

Regards

jamesdean · Feb 28, 2009, 9:34 PM

Type; ps -aux | grep snort and tell me what you see.

You should see this in the pfsense terminal.

root 54702 0.0 17.3 77192 43184 ?? Ss Wed12PM 0:33.46 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast
root 54727 0.0 0.4 3132 892 ?? Is Wed12PM 0:00.00 snort2c -w /var/db/whitelist -a /var/log/snort/alert

magicbret · Mar 1, 2009, 8:24 PM

It seems to be OK :

root 2712 100.0 74.1 557284 281852 ?? Rs 9:15PM 4:34.00 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i rl1 -A fast
root 3276 0.0 0.2 3132 748 ?? Is 9:18PM 0:00.00 snort2c -w /var/db/whitelist -a /var/log/snort/alert

It was working today, i saw blocked IP, but after the reboot, and even after modified again the file, i can't see any alerts. I use shields UP to generate a lot of connection, it was blocked this morning, but not this evening ???

magicbret · Mar 1, 2009, 11:58 PM

I tried several times… Ans always the same problem. A lot of difficulty to start SNORT :

snort[27866]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_rl1.pid" for PID "27866"

I think about uninstall this tool, and wait for a patch available !

jamesdean · Mar 2, 2009, 4:10 AM

Here is the patch I submitted to the core team and I plan to add others. They seem really busy so don't know when will see them, hopefully soon.
One side note, you do know that Blocked Ips get removed after an hour.

Just replace the red with the green in your snort.inc

https://rcs.pfsense.org/projects/pfsense-packages/repos/robiscool-clone/commits/58cdea65b46e26a946013207abc96a59b178602d

magicbret · Mar 3, 2009, 10:57 AM

Thanks a lot four your reply. I will test it and keep you informed.
Yes, i already know that IP are blocked for 1 hour, but in my case, even not 1 minute :)

Cheers

magicbret · Mar 6, 2009, 10:33 PM

:-[ Not working. It's ok at the beginning but each time i modify something, the service do not block IP. And also i have some difficulty with POP, remote server are blocked by SNORT (whitout the POP rules checked).
Anyway, i won't use it, that's all !

Thnaks anyway for your help ! ;)