Snort clearing block hosts ahead of schedule
-
I extended the gateway monitoring intervals and this has helped reduce the number of filter reloads
Could you tell me where is the option and to what value have you changed for optimal resoults?
What I have noticed that it was working pretty well for me (300+ blocked) until I did two things. Enabled Pfblocker with good few lists and also switched snort to "Use IPS Policy". I will try to test in coming days which one of those two has caused the big change.
-
I'm having the exact same issue with Pfsense 2.1 and Snort 2.6.0.
Do you have any update?
Thank you!
-
Could you tell me where is the option and to what value have you changed for optimal resoults?
What I have noticed that it was working pretty well for me (300+ blocked) until I did two things. Enabled Pfblocker with good few lists and also switched snort to "Use IPS Policy". I will try to test in coming days which one of those two has caused the big change.
I'm using pfblocker (with a few tens of thousands IPs in the table), all snort rules enabled (except FPs, as mentioned in setup threads) and a few (tens) of custom rules (most IPs blocked are by these). I'm regularly seeing 4500+ blocked IPs, so pfblocker and IPS Policy is (IMHO) unrelated, but today I got a huge packet loss (10%) on one network and the hosts were cleared. Just saying, the problem might have something to do with the gateway monitoring. Or the gateway monitoring just causes a reload and is completely unrelated.
It's an annoying bug but hopefully will get fixed.
-
I see there has been no update on this thread for 2 months, but I have had the same problem since the pfSense update to:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11I will occasionally see a few blocks in a row, but they disappear almost instantly. I also use apinger to monitor 2 gateways that I load balance/fail over on. I have tried stopping apinger, to no avail. It is hard to judge the value I'm getting out of SNORT if I cannot see whether the alerts I receive are being blocked. This also makes it almost impossible to suppress or whitelist issues, since I can't really see if I need to. Fortunately, no unusual blocking activity is affecting my users - or is this: unfortunately, my users are not being blocked??
Assuming apinger and the last pfSense update is the problem, what can the pfSense folks do to help us?
Thanks for the erstwhile awesome product! Rob…
-
Hey, SOLUTION time!
After reading a bunch of Bill's posts and what others of you have experienced I checked to see what ELSE might have been causing my filters to reload. It turns out apinger and gateway monitoring had nothing to do with it.
I had a broken installation of Squid 3 that looked like it was OK and always appeared to be running, but was causing very regular filter reloads (check your Status: System Logs: General tab for "Squid_Alarm[######]: Reconfiguring filter…")
Since my post less than 90 minutes ago I now have over 130 blocks in my Blocked tab! Wait. Is that a good thing?? :)
Rob...
-
Hey, SOLUTION time!
After reading a bunch of Bill's posts and what others of you have experienced I checked to see what ELSE might have been causing my filters to reload. It turns out apinger and gateway monitoring had nothing to do with it.
I had a broken installation of Squid 3 that looked like it was OK and always appeared to be running, but was causing very regular filter reloads (check your Status: System Logs: General tab for "Squid_Alarm[######]: Reconfiguring filter…")
Since my post less than 90 minutes ago I now have over 130 blocks in my Blocked tab! Wait. Is that a good thing?? :)
Rob...
There have also been reports that the constant filter_reloads and subsequent clearing of Snort's block table are fixed in the 2.1.1-PRERELEASE snapshots.
Bill
-
@jflsakfja:
I'm using pfblocker (with a few tens of thousands IPs in the table), all snort rules enabled (except FPs, as mentioned in setup threads) and a few (tens) of custom rules (most IPs blocked are by these). I'm regularly seeing 4500+ blocked IPs, so pfblocker and IPS Policy is (IMHO) unrelated, but today I got a huge packet loss (10%) on one network and the hosts were cleared. Just saying, the problem might have something to do with the gateway monitoring. Or the gateway monitoring just causes a reload and is completely unrelated.
I'm a believer in your pfBlocker/Snort setup schema. Care to elaborate on your custom rules?
My system is alerting and blocking better than ever but I'm in single digit percentages of 4500+.
Rick
-
I'm a believer in your pfBlocker/Snort setup schema. Care to elaborate on your custom rules?
My system is alerting and blocking better than ever but I'm in single digit percentages of 4500+.
Rick
Contrary to industry accepted practices and hundreds,nope thousands, nope trillions of RFC documents (and whole galaxy systems with their sys admins supporting their use) detailing why you should allow privileged ports to connect to privileged ports, I personally want to be alerted when something like that happens. Most reflection attacks work on a form of this, but then again the security industry leaders say "who are you to say that?". I have been known though to campaign for the industry wide banning of HTTP requests for numeric IP numbers (requesting a webpage off a server without a hostname), but then again nobody listens to me. Statistically speaking, based on previous decades, the industry will accept this at some point around the year 2049.
I'm sorry but with regards to elaborating on custom rules (flicks through Company policy) "I am not at liberty to discuss that" ;-)
-
@jflsakfja:
[I'm sorry but with regards to elaborating on custom rules (flicks through Company policy) "I am not at liberty to discuss that" ;-)
[/quote]Thanks for trying…
Firewall rules that are proprietary??? Hmmm... I'm so glad I'm retired and don't have to put up with that level of BS any more. Don't get me wrong, I fully understand the need to keep specifics of internal ports and addresses close to the vest... but when the bean counters and lawyers view firewall rules as an asset to be coveted, hoarded and locked down... Sorry, I'm just from a time gone by when as an admin if you found something that worked you made it known within the community. IT was so much more efficient and FUN when it was run by folks that actually KNEW IT. That was then, this is now... and now is ME, ME, ME.Rick
-
When you open up something to the community, with good intentions, but the vultures that be (all other "companies"* in your country) circle above your head, copying your every move and declaring they are using tomorrow's technology today (technology you happened to be using first, even before they even knew how to plug a computer into a power outlet,let alone switch it on), and constantly probing you for vulnerabilities (both metaphorically and literally speaking), one tends to get a bit "proprietary" and "locked down".
BTW, bean counters and lawyers have nothing to do with it. It's my call to declare it proprietary and a trade secret, with all the accompanying safety mechanisms that entails. I'm in the security industry after all, so by definition they are trade secrets ;-)
*example of one such said company: Transfered a client's domain to me, just about a month ago. His hosting plan run out just >before< the "Industry Leader with tens of years of domain transfer experience, and billions of domains transfered" insisted that to transfer a .com you don't need an EPP code. A month later the hosting plan still operates as if it was "forgotten" and left there for all eternity. Conclusion: If you don't bother removing plans you no longer host, then you don't even bother updating your servers anymore. Do the industry a favor and consider a career change before someone gets hurt by your negligence (you is directed to said "Industry Leader").
-
Then… you've made my point.
But thanks for sharing what you have.
Rick