Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Blocking Disabled on LAN - Keeps On Blocking

    Scheduled Pinned Locked Moved IDS/IPS
    10 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jpvonhemel
      last edited by

      Hello,

      I am working with Snort on the Lan interface and decided to turn blocking off, since it was blocking quite a few sites by mistake.  One thing I notice is when I turned blocking off, restarted the interface for the LAN, it keeps blocking some websites.

      I have turned it off an on and resaved, but I cannot seem to get it to stop blocking and just log alerts.

      Thanks,

      Jerold

      ![Screen Shot 2016-05-17 at 10.36.00 AM.png](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.36.00 AM.png)
      ![Screen Shot 2016-05-17 at 10.36.00 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.36.00 AM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Clear the IPs in the "Blocked" Tab.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • J
          jpvonhemel
          last edited by

          I do, but they come right back when I load a webpage

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Stop and Re-start the Snort Interfaces.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • J
              jpvonhemel
              last edited by

              You mean the blue stop button under the Snort Status for my LAN interface line, correct?  I have done that about four times without any change.  Its odd.  I will do it again.

              Thanks,
              Jerold

              ![Screen Shot 2016-05-17 at 10.53.22 AM.png](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.53.22 AM.png)
              ![Screen Shot 2016-05-17 at 10.53.22 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-05-17 at 10.53.22 AM.png_thumb)

              1 Reply Last reply Reply Quote 0
              • J
                jpvonhemel
                last edited by

                I turned the interface off and back on, blocking shows disabled and I cleared all of the block line items.

                it is still blocking based on a rule firing.  I get alerts and these are leading to block entries.

                To clarify, by turning blocking off, the IDS should run and post alerts based on the library/rules selected (snort VRT) without blocking the offending site, correct?

                Thanks your your help,

                Jerold

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  Run this command from the shell and see if you have a duplicated PID:

                  ps auxww | grep snort

                  There should only be one PID per Snort interface… If you have duplicated PIDs, run a

                  kill -9 command to kill the PIDs and then restart the Interface again.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • J
                    jpvonhemel
                    last edited by

                    I had three instances of snort running.  Will stop/restart one more time and see if it works.

                    Thank you very much,

                    Jerold

                    1 Reply Last reply Reply Quote 0
                    • J
                      jpvonhemel
                      last edited by

                      All is well and I am only seeing alerts and no blocking now.  Any idea how I ended up with duplicate processes running?

                      Thanks,

                      Jerold

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @jpvonhemel:

                        All is well and I am only seeing alerts and no blocking now.  Any idea how I ended up with duplicate processes running?

                        Thanks,

                        Jerold

                        This can happen when your WAN IP address changes/updates or for whatever reason the system issues multiple "restart all packages" commands in a short period of time.  Snort can get started multiple times in this scenario.  There is logic in the shell startup script for Snort that tries to prevent this, but it does not always work.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.