4. Snort Blocking Disabled on LAN - Keeps On Blocking

Snort Blocking Disabled on LAN - Keeps On Blocking

  • J

    Hello,

    I am working with Snort on the Lan interface and decided to turn blocking off, since it was blocking quite a few sites by mistake.  One thing I notice is when I turned blocking off, restarted the interface for the LAN, it keeps blocking some websites.

    I have turned it off an on and resaved, but I cannot seem to get it to stop blocking and just log alerts.

    Thanks,

    Jerold

    ![Screen Shot 2016-05-17 at 10.36.00 AM.png](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.36.00 AM.png)
    ![Screen Shot 2016-05-17 at 10.36.00 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.36.00 AM.png_thumb)

    0
  • Moderator

    Clear the IPs in the "Blocked" Tab.

    0
  • J

    I do, but they come right back when I load a webpage

    0
  • Moderator

    Stop and Re-start the Snort Interfaces.

    0
  • J

    You mean the blue stop button under the Snort Status for my LAN interface line, correct?  I have done that about four times without any change.  Its odd.  I will do it again.

    Thanks,
    Jerold

    ![Screen Shot 2016-05-17 at 10.53.22 AM.png](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.53.22 AM.png)
    ![Screen Shot 2016-05-17 at 10.53.22 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.53.22 AM.png_thumb)

    0
  • J

    I turned the interface off and back on, blocking shows disabled and I cleared all of the block line items.

    it is still blocking based on a rule firing.  I get alerts and these are leading to block entries.

    To clarify, by turning blocking off, the IDS should run and post alerts based on the library/rules selected (snort VRT) without blocking the offending site, correct?

    Thanks your your help,

    Jerold

    0
  • Moderator

    Run this command from the shell and see if you have a duplicated PID:

    ps auxww | grep snort

    There should only be one PID per Snort interface… If you have duplicated PIDs, run a

    kill -9 command to kill the PIDs and then restart the Interface again.

    0
  • J

    I had three instances of snort running.  Will stop/restart one more time and see if it works.

    Thank you very much,

    Jerold

    0
  • J

    All is well and I am only seeing alerts and no blocking now.  Any idea how I ended up with duplicate processes running?

    Thanks,

    Jerold

    0

  • @jpvonhemel:

    All is well and I am only seeing alerts and no blocking now.  Any idea how I ended up with duplicate processes running?

    Thanks,

    Jerold

    This can happen when your WAN IP address changes/updates or for whatever reason the system issues multiple "restart all packages" commands in a short period of time.  Snort can get started multiple times in this scenario.  There is logic in the shell startup script for Snort that tries to prevent this, but it does not always work.

    Bill

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy