IPs Blocked or not Blocked?

getagrep

This is about Snort within pfSense.
There is a long list of Alerts, including things like "Misc attack" by "ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 20" … lots of those ...
I have enabled "Block Offenders" in Snort Interfaces / WAN / Edit / Block Offenders.
In Snort / Global Settings, I have set the "Removed Blocked Hosts Interval" to 4 days (up from the default of 1 hour).
Subsequent to saving these settings, offending IPs still don't go into the "Blocked" list.
Despite there being many priority 1 and priority 2 Alerts, no IPs are going into Blocked.  That's a worry to me.

(I would think that by default, if I receive a "Misc attack" by an "ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group XX", that IP address should be blocked for ALL traffic, not just the offending packets, as there might be zero day ways to get hacked by those IPs by other packets which are as yet unknown to Snort and others.  Maybe one packet or a few get blocked, but what about additional activity by them against my system?)

Question:
Is Snort just "alerting" me of these attacks but not blocking them, or
is Snort also blocking these particular packets or traffic but not all traffic from the source IP addresses, or
is Snort also blocking all traffic from these IP addresses and just not reporting that it's blocking all traffic?

If anybody knows the answer to this question, it would be very much appreciated.  I am just now learning pfSense, which I appreciate, and hopefully I can answer others' questions after I learn enough to give accurate and useful answers. :)

johnpoz

Snort on wan its pretty pointless if you ask me.. Its going to do nothing but flood your logs with noise..

Are you forwarding traffic to something behind pfsense.  If so snort should only be concerned with traffic that will flow over that forward..  Looking at other traffic and blocking it is waste of time, since all traffic is dropped by the default deny.

logging especially UDP noise is waste of resources if you ask me..

I only log SYN blocks to my wan - to be honest just as curiosity to which ports are most common.. ssh, telnet, RDP (3389) all really popular still ;)

Also you will most likely have better luck if you put such a question in the specific IPS/IDS section under packages.

NogBadTheBad

Services -> Snort -> Blocked Hosts or Diagnostics -> Tables

If it's blocking it will show in the blocked hosts or snort2c table.

I pay more attention to my LAN interfaces but also run snort on the WAN as I use blacklists.

getagrep

Yes, I have a linux server on a LAN behind pfSense which I and around half a dozen people access remotely by web browser and SSH, both on unconventional ports, whereby pfSense forwards incoming traffic to this linux server.

All the incoming "Misc Attack" alerts have the "Destination IP" as the pfSense NIC's WAN IP address, which is a 192.168.subnet address.  Of course, the "Source IP" is a wide variety of IP addresses all over the world.

I have looked at my
/var/log/messages
on my linux server and can see that yes, there were attempted connections reaching the linux server from the IP addresses of "Misc Attack" sources, so this confirms what I thought – that Snort is NOT blocking the attempted remote connections from "Misc Attack" Emerging Threat (ET) "ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group [XX]" source IPs.

Basically, incoming internet connections are forwarded from the modem (on a dynamic IP address assigned by my ISP) to the pfSense box's WAN NIC on a 192.168.first.subnet, and then out the pfSense box's LAN NIC on a 192.168.second.subnet to an ordinary ethernet switch which in turn has cables radiating to a half dozen normal LAN workstations plus the linux server. While on the road, people can access the linux server by web and SSH, and it's the only server on the LAN.  People don't access their workstations remotely.  Just the server.  So remote incoming connection traffic is directed to the one and only server, over a wide block range of ports (the wide block range I figured would help my linux server's own firewall block port scanners, plus make it more difficult for somebody to guess our two port numbers, plus show me how much hacker traffic was coming to better assess the volume of threats).

Basically, I trusted the firewall of pfSense more than I trusted the firewall of a commercial modem, plus I can log and view a lot more of what's happening on pfSense than the commercial modem.

(I also have a firewall on my linux server, as mentioned above, which was intended to be an extra layer of security.)

A main reason for using Snort, I thought, was to import the list of Emerging Threats which could be automatically blocked, as well as use the Snort Vulnerability Research Team (VRT) Rules.

Snort is working to generate Alerts from attacks it recognizes from Emerging Threats, as well as other suspicious incoming traffic, but it's apparently not blocking the known attack traffic nor blocking the Source IP's of the attackers. Snort is apparently not blocking anything, despite my settings to "Block Offenders" as detailed in my original post.

So, I'm sorry to say, Snort doesn't seem to be of much practical use at this point, unless somebody can point out what I'm doing wrong.

pfSense overall is nice and much appreciated.  It's just Snort which I'm frustrated with at the moment.  Maybe it's time for an alternative to Snort?  Or am I misunderstanding something or doing something wrong?

I think NogBadTheBad is right in his reply that using blacklists of known threats is an important part of security, and that's what I have been trying to do with Snort and the Emerging Threats list, but Snort just doesn't seem to be blocking anything in my pfSense, though maybe it's working for NogBadTheBad. Nothing is showing in my blocked hosts list. It also says at the bottom of the page "There are currently no hosts being blocked by Snort."

bmeeks

Snort works fine and blocks fine.  There are many users on this forum using it successfully.  I have it working just fine on my home network and it produces blocks with no issues.  You do not have something configured correctly.  I have no idea what that might be as I can't examine your system remotely.  I can only assure you that, properly configured, Snort works just fine.

As @johnpoz suggested, generally there is no benefit in running Snort on the WAN unless you have an external facing host of some sort providing a public service (such as a web server, email server, DNS server, etc.).  Snort (and Suricata in Legacy Mode) use libpcap to get copies of packets inbound from the WAN to the pf firewall engine.  Snort analyzes and works with the copy whereas the original packet continues on to the firewall.  The key point here is that your pf firewall is going to have already blocked unsolicited inbound traffic before Snort will, since Snort is working off that copy.

You state that you have users accessing a LAN server from the Internet via SSH and HTTP.  Still better to run Snort on the LAN in my view.  A key benefit of that is alerts will show up with the internal IP address of the host.  When run on the WAN with NAT, all your local hosts will show up as the WAN IP because Snort sees outbound traffic after NAT rules have been applied.

One tip for you, investigate your Pass List setting and the parameter on INTERFACE SETTINGS for which IP to block.  Is that set to BOTH?  Your LAN host is going to be in the automatic default Pass List (all LAN host IPs are included).  You can customize that if you want to.

Bill

NogBadTheBad

Is your modem routing, if it was bridging you's see a non RFC1918 address on the pfSense WAN NIC ?

BTW my blacklist is to block shodan.io & other IP addresses.