Why SNORT do not block IP ?

magicbret

Hi all,

I recently install pfsense lastest version, and SNORT activated. I was before on Smoothwall and saw IP blocked the day after the install. But now, i can't see IP blocked with pfSense. I don't believe that nobody is aggressing my firewall :-)

If i select icmp rules to be enabled, i can see some blocked IP. But each time i try to connect to a site, i can see after a couple of minutes the IP blocked by SNORT. It means that blocking works.

Another problem, each time i modifiy something in SNORT, the service stop and don't restart, even if i click on the start button, the message "Snort have been started" is present, but service don't run.

Is this an issue or a missing configuration ?

Thanks for your help

Julien

jamesdean

What version of snort are you running and what pfsense version ?

magicbret

Hi,

pfSense 1.2.2 and SNORT 2.8.2.6.

magicbret

OK, i found the solution in the forum, it seems that there is a ; after a & and it must be deleted in the /usr/local/rc.d/snort.sh file. But after a couple of hours, i still don't see any alert and any blocked IP (and it was a hudge with SmoothWall).

Is there someone who found the solution to this issue ?

Regards

jamesdean

Type; ps -aux | grep snort and tell me what you see.

You should see this in the pfsense terminal.

root  54702  0.0 17.3 77192 43184  ??  Ss  Wed12PM  0:33.46 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast
root  54727  0.0  0.4  3132  892  ??  Is  Wed12PM  0:00.00 snort2c -w /var/db/whitelist -a /var/log/snort/alert

magicbret

It seems to be OK :

root    2712 100.0 74.1 557284 281852  ??  Rs    9:15PM  4:34.00 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i rl1 -A fast
root    3276  0.0  0.2  3132  748  ??  Is    9:18PM  0:00.00 snort2c -w /var/db/whitelist -a /var/log/snort/alert

It was working today, i saw blocked IP, but after the reboot, and even after modified again the file, i can't see any alerts. I use shields UP to generate a lot of connection, it was blocked this morning, but not this evening ???

magicbret

I tried several times… Ans always the same problem. A lot of difficulty to start SNORT :

snort[27866]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_rl1.pid" for PID "27866"

I think about uninstall this tool, and wait for a patch available !

jamesdean

Here is the patch I submitted to the core team and I plan to add others. They seem really busy so don't know when will see them, hopefully soon.
One side note, you do know that Blocked Ips get removed after an hour.

Just replace the red with the green in your snort.inc

https://rcs.pfsense.org/projects/pfsense-packages/repos/robiscool-clone/commits/58cdea65b46e26a946013207abc96a59b178602d

magicbret

Thanks a lot four your reply. I will test it and keep you informed.
Yes, i already know that IP are blocked for 1 hour, but in my case, even not 1 minute  :)

Cheers

magicbret

:-[ Not working. It's ok at the beginning but each time i modify something, the service do not block IP. And also i have some difficulty with POP, remote server are blocked by SNORT (whitout the POP rules checked).
Anyway, i won't use it, that's all !

Thnaks anyway for your help ! ;)