Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Block snort2c hosts" error

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      Hello all,

      I am new user of snort + pfsense, set them up and have  running seemingly fine, however on some websites (example http://beta.speedtest.net/) I get error and in the log see block  https://snag.gy/hVPCbq.jpg, website actually shows squid error "The system returned: (13) Permission denied", but I suspect it maybe secondary error, any clues appreciated

      Thx

      1 Reply Last reply Reply Quote 0
      • B
        Birke
        last edited by

        have you checked the alerts/blocks under services -> snort?
        the message in system log only says that snort put the site/ip on its own blocklist. the reason can be seen in snort itself.

        1 Reply Last reply Reply Quote 0
        • chudakC
          chudak
          last edited by

          Where can i see all info?

          Say I see blocked IPs https://snag.gy/s7RPen.jpg, how do I correlate this to whatever options/rules/logs etc if I want to suppress this block or change settings ?

          I am looking for a way copy message from snort and be able to follow it till the initial rule.

          Is it possible ?

          1 Reply Last reply Reply Quote 0
          • B
            Birke
            last edited by

            just look unter snort alerts and there select your wan interface.
            then you see the alerts on that interface. for example```
            06/23/2017
            12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
                50439 89.x.x.x
              1433 1:2010935
              ET POLICY Suspicious inbound to MSSQL port 1433

            the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule.

with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule.

or you just go to the snort alerts and click one of the red x for rule suppression/disabling.
            1 Reply Last reply Reply Quote 0
            • chudakC
              chudak
              last edited by

              thx

              My issues is that if I look at https://snag.gy/s7RPen.jpg  and copy string from there I can not find anything matching under alerts ?!

              1 Reply Last reply Reply Quote 0
              • chudakC
                chudak
                last edited by

                @Birke:

                just look unter snort alerts and there select your wan interface.
                then you see the alerts on that interface. for example```
                06/23/2017
                12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
                    50439 89.x.x.x
                  1433 1:2010935
                  ET POLICY Suspicious inbound to MSSQL port 1433

                the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule.

with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule.

or you just go to the snort alerts and click one of the red x for rule suppression/disabling.

                It gets a little better now, thx !

                @Birke do you add alerts to suppress list or disable rule?
                And I am assuming after I get no or low level of alert I'd enable Block Offenders in interfaces?

                Thx

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.