Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Manually block IP in snort

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digininja
      last edited by

      I've got Snort running in alert only mode and while I'm learning how to use it I want to be able to watch the logs and manually select IPs to block, is there a way to do it?

      Alternatively, is there a way to set up blocking so that I can get it to only block on certain rules?

      At the moment I know that certain types of traffic coming into my network must be malicious, for example RDP or MySQL so I want to block those straight off but I've just spent some time investigating one alert that turned out to be a false positive. If I'd had blocking mode on I'd have broken an app and probably confused myself for at least a few days.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Uhm, no. It's either blocking or not blocking. Setting an alert (blocking) rule in non-blocking mode won't block anything. You can block it in your firewall, but things like RDP/MySQL would not normally be wide open  :o So dunno what'd be the goal here, it should have been already blocked by the firewall anyway without setting up anything, you are seeing just an alert from the copy of the packet…

        As for syntax, this should give you a pretty good clue:

        https://rules.emergingthreats.net/open/suricata/rules/compromised.rules

        1 Reply Last reply Reply Quote 0
        • D
          digininja
          last edited by

          It would be nice if there was a way to send an IP through to the firewall to be blocked directly from the Snort interface.

          The reason I was thinking of doing it was just to preemptively block IPs that I consider bad. Anything trying to access RDP on my firewall is "attacking" me in some way so if I were to block them when I saw the RDP  connections, which wouldn't achieve anything, it may save me when they switch to SSH which is open and could cause problems.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.