Alerts Showing Up, BUT Got Nothing In The Blocked List…

bmeeks

What is the "Clear Blocked Hosts Interval" set for?  If any alerts are older than that setting, then their corresponding blocks would have been cleared.

Make sure you do not have any duplicate Snort processes by looking at the output of this command:

ps -ax |grep snort

That command should output one line per configured Snort interface (two lines per interface if you have Barnyard2 enabled).

Look in your system log for any evidence of the packet filter reloading.  Any activity on the firewall that causes the packet filter to reload can clear the table that Snort populates with blocked IP addresses.  Snort itself does not literally do the blocking. It simply stuffs the offending IP addresses into a pre-defined table in the firewall packet filter.  After that the packet filter is in charge, so anything that might happen on the packet filter side to dump or clear the pre-defined tables will also clear out and lose any blocks Snort passed in.  When you view the BLOCKED tab in Snort, all it does is query that firewall packet filter table (the ) and displays any IP addresses it finds there.  Snort does not keep its own private block list.

Bill

ghostshell

Upgraded SNORT to the latest package, upgraded PFSense to 2.2.1, have a ton of UDP scans that should have the SRC IP blocked and nothing in the list, disabled block, stopped SNORT, enabled block, set options, started SNORT, checked PS AUX for SNORT via shell

82933  -  Ss      0:00.05 /usr/local/bin/snort -R 1564 -D -q –suppress-config-log -l /var/log/snort/snort_sk01564 --pid-path /var/run --nolock-pidfile -G 1564

no other processes at time of this post

days to keep blocked IP's = 28 days

bmeeks

Can you provide the current contents of the PASS LIST file for the affected interface?  Go to the SETTINGS tab for that interface and click the View List button beside the drop-down for PASS LIST.  Grab the contents of that window and post back, or just note all the IP addresses in that window and see if any of them (or the network blocks shown) encompass the IP you think should be blocked due to the port scan.

Just trying to be sure the IP is not part of a Pass List.  That's really the only thing that can prevent a block from happening if you are getting the alert on the ALERTS tab.  The alerts trigger the code for the block.  First the block code compares the IP addresses in the alert to all of the IPs and net blocks in the Pass List (either the user-assigned list or the default list), and if the IP is within a Pass List network the block action is skipped.  If the IP is not found within a Pass List network, then it is blocked.

Bill

ghostshell

Sure, give me a bit, FYI the only interface that is setup and being watched is WAN, i have no other interfaces setup in SNORT

ghostshell

Attached pic of pass list

bmeeks

@ghostshell:

Attached pic of pass list

No, not this screen. I  need to see the pop-up window from the WAN SETTINGS tab in Snort.  On that tab, down near the bottom is a drop-down selector for choosing which Pass List is assigned.  That box will either say "default" or it will have an assigned list name in it.  To the right of that is a View List button.  Click that button and a pop-up window will appear showing the list of IP addresses and network IP blocks included in the pass list for the WAN.  The contents of that pop-up window are what I want to see.

Also post a copy of the alert you received for the UDP port scan that you said did not result in a block.

Thanks,

Bill

ghostshell

Pass list: default

Snort: Pass List Viewer:
8.8.4.4
8.8.8.8
10.21.42.0/24
10.42.21.0/24
WAN IP
WAN GW
127.0.0.1
172.21.0.0/16
192.168.0.0/24
192.168.1.0/24
::1
fe80::290:7fff:fe3e:554e
fe80::290:7fff:fe3e:554f
fe80::290:7fff:fe3e:5550
fe80::290:7fff:fe3e:5551

Alert for UDP Scan not in block list, there were multiple scans that did not get blocked(sorry for the extra gibberish, i copied these of the alert page):

03/24/15
21:53:42 2 Attempted Information Leak 80.76.104.110
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP WAN IP
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 122:21
(portscan) UDP Filtered Portscan
03/24/15
21:52:00 2 Attempted Information Leak 80.76.104.110
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP WAN IP
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 122:21
(portscan) UDP Filtered Portscan
03/24/15
21:41:04 2 Attempted Information Leak 80.76.104.110
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP WAN IP
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 122:21
(portscan) UDP Filtered Portscan
03/24/15
21:39:21 2 Attempted Information Leak 80.76.104.110
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP WAN IP
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 122:21
(portscan) UDP Filtered Portscan
03/24/15
21:38:57 2 Attempted Information Leak 80.76.104.110
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP WAN IP
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 122:21
(portscan) UDP Filtered Portscan

Should these get blocked as well, if so they are not in the block list(4 total, not just the 1):

03/28/15
09:22:27 2 TCP Detection of a Non-Standard Protocol or Event       WAN IP
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP 13550 146.0.42.110
Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 22 128:4
(spp_ssh) Protocol mismatch

bmeeks

OK, I should have asked this earlier.  On the INTERFACE SETTINGS tab where you have Block Offenders enabled, what is the Which IP to Block parameter set to?

If, for example, it is set for DST (destination IP) then the port scan from that external IP would not get blocked because the foreign IP is the SRC (source) while the WAN IP is the DST (destination).  The WAN IP is automatically in your pass list.

If you have it set for BOTH, which is the new default setting, then I'm not sure at this point why you would not be getting the block.

Bill

notaduck

i had the same problem with snort yesterday but i just had to enable WAN Preprocessing and wupti snort starts to block

ghostshell

set for SRC only

@duck - where is the setting you are referring to, I see many preproc's since the upgrade when there was only 1