Is pfBlocker and Snort compatable?
-
Looks at the Alerts Tab and suppress the IP or the Domain name that is blocked when pfblockerNG is active
-
Do I go to the IPv4 tab, hit the "+" sign, create alias and add IP to "IPv4 Lists"?
Thank you again..
-
Not the IPV4, the Firewall / pfBlockerNG / Alerts tab
-
I am on the Firewall/pfBlocker/Alerts tab but can't see where I can suppress an IP?
Is there a setting in pfBlocker(maybe the pfBlocker General tab) that will allow me to suppress an IP for GeoIP?
Thanks again for the help..
-
When you see this
click on it to get more information about the pfblockerNG functionalities.Did you enabled suppression under Firewall / pfBlockerNG / IP ?
Alerts can be suppressed using the '+' icon in the Alerts tab and IPs are added to the IPv4 suppression custom list.
For GeoIP/Blocked IPs in a CIDR other than /32 or /24, will need a 'Whitelist alias' w/ a List Action: 'Permit Outbound' Firewall rule.
Only 'Deny' type Aliases can be suppressed! -
I enabled "Suppression" under Firewall/pfBlockerNG/General…however I do not know where "Firewall / pfBlockerNG / IP" is...not sure if that is the same?
-
Well there is not suppression setting under Firewall / pfBlockerNG / General in the Development version. It's in the Firewall / pfBlockerNG / IP tab
So maybe your tabs are different then mine. :-[ -
Seems basic but I cannot find a Firewall/pfblockerng/IP tab? See my screenshots attached.
I did find that a pfblockerNGSuppress alias was added however it is currently empty…is that where a suppress IPs go?
Might be a different screen to yours and pfBlocker doesn't work with a sg2440 running pfsense 2.3.4?
-
As I stated, I am using a "later/under development" of pfblockerNG, so your tab are quite different from my version.
When you can suppress a IP , there is a blue "+" icon on the left of the IP.
So in you case, if you want to "Whitelist" the IPs without the "+" icon, you have to follow the instructions:
For GeoIP/Blocked IPs in a CIDR other than /32 or /24, will need a 'Whitelist alias' w/ a List Action: 'Permit Outbound' Firewall rule.
Only 'Deny' type Aliases can be suppressed!But try to download the rules with a browser https://www.snort.org/downloads/#rule-downloads
the IP used on my side is 104.16.63.75Maybe it's the domain name that is blocked.
-
Thanks RonpfS…I appreciate the help!
-
I believe that the Snort OpenAppID Detector Feed is based in South America…
-
I believe that the Snort OpenAppID Detector Feed is based in South America…
Yep, Brazil… this is the one you helped me with. I don't use the country lists for that region.
TLD blacklist
br
edu.brTLD whitelist
www.ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
ifs.edu.br|200.133.48.21 # for SNORT OpenAppID rule
thor.ifs.edu.br|200.133.48.21 # SNORT OpenAppID rule
