Any alert lock also my WAN
I have installed a dedicated pfsense for the snort who worked as a man in the middle, a bridge. From the router of my ISP goes a cable to my pfsense / snort and it goes another cable to my edge firewall.
ISP ROUTE <==> PFSENSE SNORT / BRIDGE <==> MAIN FIREWALL (WAN)
Well, I have snort properly installed and I started to do efficiency tests of the rules from outside to inside my network. It happens that every time snort blocks a source IP through an alert (portscan, for example) at the same time it also blocks the address of my WAN through this same alert. It is automatic, http inspect, port scan, among others. Every time snort has blocked an origin due to an alert it also adds an entry blocking the ip of my WAN, which is the ip that receives all these connections on the edge. When this happens my internet drops due to my DNS being resolved through this WAN.
I did as follows. I added the ip of my wan in the passlist, and it does not block anymore. But I'm afraid of this configuration because I do not know the types of attacks very well and I fear that this can open a breach for attacks in my network.
I would like to hear your opinion about what is possibly happening and if this configuration I made in the passlist can compromise the efficiency of my snort.
My pfsense is:
built on Tue Jul 19 12:44:43 CDT 2016
In suricata there is an option to select whether rules will block BOTH, SOURCE or DESTINATION host. I actually don't understand how it works because mine is set to both (which is recommended) but I've not had any issues like you've described.
Check out snort and see if there is an option for this.
It does seem strange that this would be happening.
In snort is also the same way. I also leave it as both, but even changing to source it also blocks similarly my wan ip address. :-\
Your WAN IP would normally be excluded unless you messed up the default pass lists (or are messing with the whacky inline mode). If your WAN getting blocked is not the pfSense WAN, you'll need to add whatever required IP to you custom pass list and assign that pass list to Snort/Suricata interface(s).
Doktornotor, yes, I'm using my snort as you said it, in in-line mode, like the bridge between two network segments (between my ISP router and my main firewall). Now, would you tell me if this way, setting my wan ip on passlists, would not open some security hole in my network? I think it might not block some kind of threat, I do not know. If you do not see problem I will leave it configured this way, with ip of wan added in the passlist.