Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Any alert lock also my WAN

    IDS/IPS
    3
    5
    652
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      androse
      last edited by

      Hello guys,

      I have installed a dedicated pfsense for the snort who worked as a man in the middle, a bridge. From the router of my ISP goes a cable to my pfsense / snort and it goes another cable to my edge firewall.

      ISP ROUTE <==> PFSENSE SNORT / BRIDGE <==> MAIN FIREWALL (WAN)

      Well, I have snort properly installed and I started to do efficiency tests of the rules from outside to inside my network. It happens that every time snort blocks a source IP through an alert (portscan, for example) at the same time it also blocks the address of my WAN through this same alert. It is automatic, http inspect, port scan, among others. Every time snort has blocked an origin due to an alert it also adds an entry blocking the ip of my WAN, which is the ip that receives all these connections on the edge. When this happens my internet drops due to my DNS being resolved through this WAN.

      I did as follows. I added the ip of my wan in the passlist, and it does not block anymore. But I'm afraid of this configuration because I do not know the types of attacks very well and I fear that this can open a breach for attacks in my network.

      I would like to hear your opinion about what is possibly happening and if this configuration I made in the passlist can compromise the efficiency of my snort.

      My pfsense is:

      2.3.2-RELEASE (amd64)
      built on Tue Jul 19 12:44:43 CDT 2016
      FreeBSD 10.3-RELEASE-p5

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        In suricata there is an option to select whether rules will block BOTH, SOURCE or DESTINATION host. I actually don't understand how it works because mine is set to both (which is recommended) but I've not had any issues like you've described.

        Check out snort and see if there is an option for this.

        It does seem strange that this would be happening.

        1 Reply Last reply Reply Quote 0
        • A
          androse
          last edited by

          In snort is also the same way. I also leave it as both, but even changing to source it also blocks similarly my wan ip address.  :-\

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Your WAN IP would normally be excluded unless you messed up the default pass lists (or are messing with the whacky inline mode). If your WAN getting blocked is not the pfSense WAN, you'll need to add whatever required IP to you custom pass list and assign that pass list to Snort/Suricata interface(s).

            1 Reply Last reply Reply Quote 0
            • A
              androse
              last edited by

              Doktornotor, yes, I'm using my snort as you said it, in in-line mode, like the bridge between two network segments (between my ISP router and my main firewall). Now, would you tell me if this way, setting my wan ip on passlists, would not open some security hole in my network? I think it might not block some kind of threat, I do not know. If you do not see problem I will leave it configured this way, with ip of wan added in the passlist.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.