Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block subnets in snort

    IDS/IPS
    2
    5
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dcol Banned
      last edited by

      Is there any way to create an alert rule that would not just block the IP, but also the entire CIDR/24 of that IP.
      Example - an alert was triggered and IP 10.10.10.10 was blocked. I want 10.10.10.0/24 to be blocked

      is this possible?

      Reason I ask is because I use a rule to block emails from a particular TLD which sends multiple emails incrementing the IP to avoid blocking.
      example - I would get 4 emails in one second from 10.10.10.1, 10.10.10.2, 10.10.10.3, then 10.10.10.4
      By the time Snort blocks each individual IP, they got through, so Snort is useless for this type of attack.

      Any suggestions for a workaround?

      1 Reply Last reply Reply Quote 0
      • P
        Paint
        last edited by

        Out of the box, no this is not possible.

        You can turn on IP Reputation and add the IP/Subnet to the ipBlacklist.txt file

        pfSense i5-4590
        940/880 mbit Fiber Internet from FiOS
        BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
        Netgear R8000 AP (DD-WRT)

        1 Reply Last reply Reply Quote 0
        • D
          dcol Banned
          last edited by

          How do I add automatically to the ipblacklist.txt?
          These attacks happen all day and night. Each IP range lasts for 10 to 30 minutes, then they start with a new range of IP's. I average 250-500 per day. You would think they would exhaust their supply of IP's but it seems endless and never repeats.

          I already have an Easy Rule IP Alias that I add to every day that blocks these IP CIDR's. I was looking for a way to block them automatically. I am afraid that this alias will get so large it will affect the pfsense performance. There are already 45K IP's in there from these attacks.

          1 Reply Last reply Reply Quote 0
          • P
            Paint
            last edited by

            @dcol:

            How do I add automatically to the ipblacklist.txt?
            These attacks happen all day and night. Each IP range lasts for 10 to 30 minutes, then they start with a new range of IP's. I average 250-500 per day. You would think they would exhaust their supply of IP's but it seems endless and never repeats.

            I already have an Easy Rule IP Alias that I add to every day that blocks these IP CIDR's. I was looking for a way to block them automatically. I am afraid that this alias will get so large it will affect the pfsense performance. There are already 45K IP's in there from these attacks.

            im not aware of any way to do this automatically

            You could write a script to run as a cron job to parse the Snort Alert log and then add those IPs to the ipblacklist.txt

            pfSense i5-4590
            940/880 mbit Fiber Internet from FiOS
            BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
            Netgear R8000 AP (DD-WRT)

            1 Reply Last reply Reply Quote 0
            • D
              dcol Banned
              last edited by

              Impossible to control with a cron script. Attack is finished by the time script is run.

              If anyone has an ingenious way of handling this, let me know. Eventually every email server will be prone to this type of spam. I do prevent these emails from getting into mailboxes with a filter, I just want to eliminate it from the source so the attacker thinks this IP is blocked.

              Every day I add another 2K-4K IP's to the block alias. Eventually this will have performance effects.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.