Snort and blocking source/dest IP
-
Hello,
I have tried out the snort-dev on a pfsense 1.2.2 RC1 and noticed that the snort is still only blocking source IP addresses that pops up in the alert log. When will there be a fix for this?
// BlackWand
-
Actually, I was just to start a post about that. To me, it's working weird. I have 1.2.3-RC3 built on Mon Sep 14 23:09:32 UTC 2009 FreeBSD 7.2-RELEASE-p3 i386. Using snort-dev. Snort 2.8.4.1_1 pkg v. 1.6 Beta. here are my alerts:
[ ** ] [ 122:3:0 ] (portscan) TCP Portsweep [ ** ]
[ Priority: 3 ]
09/18-19:01:19.050424 85.241.62.54 -> 4.79.142.202
PROTO:255 TTL:0 TOS:0x0 ID:65441 IpLen:20 DgmLen:159 DF[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]
[ Priority: 3 ]
09/18-19:08:12.845122 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:33868 IpLen:20 DgmLen:164[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]
[ Priority: 3 ]
09/18-19:16:28.527528 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:26177 IpLen:20 DgmLen:164My ip is 85.241.62.54. I'm using pppoe on wan interface. I keep being blocked. bug maybe?
-
rc2 just got out… ;)
-
Actually, I was just to start a post about that. To me, it's working weird. I have 1.2.3-RC3 built on Mon Sep 14 23:09:32 UTC 2009 FreeBSD 7.2-RELEASE-p3 i386. Using snort-dev. Snort 2.8.4.1_1 pkg v. 1.6 Beta. here are my alerts:
[ ** ] [ 122:3:0 ] (portscan) TCP Portsweep [ ** ]
[ Priority: 3 ]
09/18-19:01:19.050424 85.241.62.54 -> 4.79.142.202
PROTO:255 TTL:0 TOS:0x0 ID:65441 IpLen:20 DgmLen:159 DF[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]
[ Priority: 3 ]
09/18-19:08:12.845122 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:33868 IpLen:20 DgmLen:164[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]
[ Priority: 3 ]
09/18-19:16:28.527528 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:26177 IpLen:20 DgmLen:164My ip is 85.241.62.54. I'm using pppoe on wan interface. I keep being blocked. bug maybe?
Hugovsky
Your ip should be white listed automatically. Send me a PM with the out put of this.
cat "/var/db/whitelist"
James
-
Hello,
I have tried out the snort-dev on a pfsense 1.2.2 RC1 and noticed that the snort is still only blocking source IP addresses that pops up in the alert log. When will there be a fix for this?
// BlackWand
Its on my TODO list, I have to code custom C++ code into the source code of snort.
Be patient
James
-
Seems to be working just fine in RC2. I'll update as soon as news show up.
-
jamesdean, ok. Good to know its at least on the TODO-list. ;D