Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort enabled cuases strange Firewall log

    pfSense Packages
    4
    8
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      T5000
      last edited by

      Hi,

      i recently upgraded to a more powerful box for pfsense so i can run something like snort etc. i installed snort and configured it. So far so good i'm satisfied with snort itself for the moment but after i looked in the Firewall Log i noticed there are some strange "Blocks" for traffic from LAN->WAN even with the any-any rule for LAN.

      They look like this:

      
 block	Jun 17 02:30:22	WAN	192.168.1.20:1061	239.255.255.250:8082	UDP
 block	Jun 17 02:30:21	WAN	192.168.1.21:1055	239.255.255.250:8082	UDP
 block	Jun 17 02:30:19	WAN	192.168.1.20:1061	239.255.255.250:8082	UDP
 block	Jun 17 02:30:18	WAN	192.168.1.21:1055	239.255.255.250:8082	UDP
 block	Jun 17 02:30:16	WAN	192.168.1.20:1061	239.255.255.250:8082	UDP
 block	Jun 17 02:30:15	WAN	192.168.1.21:1055	239.255.255.250:8082	UDP
 block	Jun 17 02:30:13	WAN	fe80::c225:6ff:fe25:d01f:52971	ff02::c:1900	UDP

      and:

      
 block	Jun 17 02:33:11	LAN	192.168.0.100:57634	15.240.60.112:443	TCP:FPA
 block	Jun 17 02:33:10	LAN	192.168.0.100:43832	15.201.224.79:443	TCP:FPA

      Yes i read:
      https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection

      but the fact is, they only show up if snort is enabled. If snort is disabled this logs don't show up at all. They show up even with only IPS set ti Connectivity and nothing else selected. Should i be worried or just ignore it ? as far as i can tell everything is working fine beside that.

      Any suggestions ?

      -T5000

      1 Reply Last reply Reply Quote 0
      • F
        fearnothing
        last edited by

        Does clicking the red X for the block give you an error message that's informative? What rule does it say is causing the blocks?

        Do you need to know what the events are or have you already figured that part out?

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          Hi T5000,

          Do you have these enabled in the Status:System Logs:Settings?

          Log Firewall Default Blocks

          Log packets blocked by the default rule
          Log packets blocked by 'Block Bogon Networks' rules
          Log packets blocked by 'Block Private Networks' rules

          The first set of blocks are Multicasts and the second one seems to be HP (revproxy-pro-site1eprint.houston.hp.com)

          Does Snort have any Alerts around these time frames to help correlate these two together?

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Disable logging for the block private networks rule (in the system logs settings)

            https://forum.pfsense.org/index.php?topic=70753.0

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              As mentioned in the linked thread by BBcan177, Snort puts any interface it runs on in promiscuous mode.  This means the interface sees all traffic on the segment/port it is connected to and not just traffic aimed at its MAC address.  If you don't want to see the traffic, you can either add an explicit "block but don't log" rule for it, or you can take the approach mentioned in the thread linked by BBcan177.

              Bill

              1 Reply Last reply Reply Quote 0
              • T
                T5000
                last edited by

                @fearnothing:

                Does clicking the red X for the block give you an error message that's informative? What rule does it say is causing the blocks?

                Do you need to know what the events are or have you already figured that part out?

                Not really, it just says: @5 block drop in log inet all label "Default deny rule IPv4". The service works correct though but i find it odd that this blocks show up only with snort enabled. Isn't the default block rule active anyway ?.

                @BBcan177:

                Hi T5000,

                Do you have these enabled in the Status:System Logs:Settings?

                Log Firewall Default Blocks

                Log packets blocked by the default rule
                Log packets blocked by 'Block Bogon Networks' rules
                Log packets blocked by 'Block Private Networks' rules

                The first set of blocks are Multicasts and the second one seems to be HP (revproxy-pro-site1eprint.houston.hp.com)

                Does Snort have any Alerts around these time frames to help correlate these two together?

                Not really, the only thing that shows up in snort is: ET MALWARE Alexa Spyware Reporting. And yes i have enabled these settings. I already figured it out that the blocks will not be logged without them but so does it without snort enabled.

                So as i said i was just curios if this has something to do with snort because as i mentioned, without snort enabled they won't show in the Firewall log. I was just worried that snort does something strange in the background and messed up my network connections. They work correct i think, didn't see anything that don't work as before.

                1 Reply Last reply Reply Quote 0
                • F
                  fearnothing
                  last edited by

                  Well looking at it logically,

                  • the default in pfSense is to deny all
                  • you do not have logging for this default turned on when snort is not present
                  • when snort is on, this rule starts logging

                  My guess is that snort enables logging for this rule as part of its base configuration.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @fearnothing:

                    Well looking at it logically,

                    • the default in pfSense is to deny all
                    • you do not have logging for this default turned on when snort is not present
                    • when snort is on, this rule starts logging

                    My guess is that snort enables logging for this rule as part of its base configuration.

                    Nope, Snort does not touch the firewall rules at all.  All it does is put the interface in promiscuous mode.  I promise it does not touch any firewall rules or pfSense logging options.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.