Snort enabled cuases strange Firewall log
-
Hi,
i recently upgraded to a more powerful box for pfsense so i can run something like snort etc. i installed snort and configured it. So far so good i'm satisfied with snort itself for the moment but after i looked in the Firewall Log i noticed there are some strange "Blocks" for traffic from LAN->WAN even with the any-any rule for LAN.
They look like this:
block Jun 17 02:30:22 WAN 192.168.1.20:1061 239.255.255.250:8082 UDP block Jun 17 02:30:21 WAN 192.168.1.21:1055 239.255.255.250:8082 UDP block Jun 17 02:30:19 WAN 192.168.1.20:1061 239.255.255.250:8082 UDP block Jun 17 02:30:18 WAN 192.168.1.21:1055 239.255.255.250:8082 UDP block Jun 17 02:30:16 WAN 192.168.1.20:1061 239.255.255.250:8082 UDP block Jun 17 02:30:15 WAN 192.168.1.21:1055 239.255.255.250:8082 UDP block Jun 17 02:30:13 WAN fe80::c225:6ff:fe25:d01f:52971 ff02::c:1900 UDP
and:
block Jun 17 02:33:11 LAN 192.168.0.100:57634 15.240.60.112:443 TCP:FPA block Jun 17 02:33:10 LAN 192.168.0.100:43832 15.201.224.79:443 TCP:FPA
Yes i read:
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connectionbut the fact is, they only show up if snort is enabled. If snort is disabled this logs don't show up at all. They show up even with only IPS set ti Connectivity and nothing else selected. Should i be worried or just ignore it ? as far as i can tell everything is working fine beside that.
Any suggestions ?
-T5000
-
Does clicking the red X for the block give you an error message that's informative? What rule does it say is causing the blocks?
Do you need to know what the events are or have you already figured that part out?
-
Hi T5000,
Do you have these enabled in the Status:System Logs:Settings?
Log Firewall Default Blocks
Log packets blocked by the default rule
Log packets blocked by 'Block Bogon Networks' rules
Log packets blocked by 'Block Private Networks' rulesThe first set of blocks are Multicasts and the second one seems to be HP (revproxy-pro-site1eprint.houston.hp.com)
Does Snort have any Alerts around these time frames to help correlate these two together?
-
Disable logging for the block private networks rule (in the system logs settings)
-
As mentioned in the linked thread by BBcan177, Snort puts any interface it runs on in promiscuous mode. This means the interface sees all traffic on the segment/port it is connected to and not just traffic aimed at its MAC address. If you don't want to see the traffic, you can either add an explicit "block but don't log" rule for it, or you can take the approach mentioned in the thread linked by BBcan177.
Bill
-
Does clicking the red X for the block give you an error message that's informative? What rule does it say is causing the blocks?
Do you need to know what the events are or have you already figured that part out?
Not really, it just says: @5 block drop in log inet all label "Default deny rule IPv4". The service works correct though but i find it odd that this blocks show up only with snort enabled. Isn't the default block rule active anyway ?.
Hi T5000,
Do you have these enabled in the Status:System Logs:Settings?
Log Firewall Default Blocks
Log packets blocked by the default rule
Log packets blocked by 'Block Bogon Networks' rules
Log packets blocked by 'Block Private Networks' rulesThe first set of blocks are Multicasts and the second one seems to be HP (revproxy-pro-site1eprint.houston.hp.com)
Does Snort have any Alerts around these time frames to help correlate these two together?
Not really, the only thing that shows up in snort is: ET MALWARE Alexa Spyware Reporting. And yes i have enabled these settings. I already figured it out that the blocks will not be logged without them but so does it without snort enabled.
So as i said i was just curios if this has something to do with snort because as i mentioned, without snort enabled they won't show in the Firewall log. I was just worried that snort does something strange in the background and messed up my network connections. They work correct i think, didn't see anything that don't work as before.
-
Well looking at it logically,
- the default in pfSense is to deny all
- you do not have logging for this default turned on when snort is not present
- when snort is on, this rule starts logging
My guess is that snort enables logging for this rule as part of its base configuration.
-
Well looking at it logically,
- the default in pfSense is to deny all
- you do not have logging for this default turned on when snort is not present
- when snort is on, this rule starts logging
My guess is that snort enables logging for this rule as part of its base configuration.
Nope, Snort does not touch the firewall rules at all. All it does is put the interface in promiscuous mode. I promise it does not touch any firewall rules or pfSense logging options.
Bill