Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    "Block snort2c hosts" error

    IDS/IPS
    2
    6
    1491
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudak
      chudak last edited by

      Hello all,

      I am new user of snort + pfsense, set them up and have  running seemingly fine, however on some websites (example http://beta.speedtest.net/) I get error and in the log see block  https://snag.gy/hVPCbq.jpg, website actually shows squid error "The system returned: (13) Permission denied", but I suspect it maybe secondary error, any clues appreciated

      Thx

      1 Reply Last reply Reply Quote 0
      • B
        Birke last edited by

        have you checked the alerts/blocks under services -> snort?
        the message in system log only says that snort put the site/ip on its own blocklist. the reason can be seen in snort itself.

        1 Reply Last reply Reply Quote 0
        • chudak
          chudak last edited by

          Where can i see all info?

          Say I see blocked IPs https://snag.gy/s7RPen.jpg, how do I correlate this to whatever options/rules/logs etc if I want to suppress this block or change settings ?

          I am looking for a way copy message from snort and be able to follow it till the initial rule.

          Is it possible ?

          1 Reply Last reply Reply Quote 0
          • B
            Birke last edited by

            just look unter snort alerts and there select your wan interface.
            then you see the alerts on that interface. for example```
            06/23/2017
            12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
                50439 89.x.x.x
              1433 1:2010935
              ET POLICY Suspicious inbound to MSSQL port 1433

            the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule.

with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule.

or you just go to the snort alerts and click one of the red x for rule suppression/disabling.
            1 Reply Last reply Reply Quote 0
            • chudak
              chudak last edited by

              thx

              My issues is that if I look at https://snag.gy/s7RPen.jpg  and copy string from there I can not find anything matching under alerts ?!

              1 Reply Last reply Reply Quote 0
              • chudak
                chudak last edited by

                @Birke:

                just look unter snort alerts and there select your wan interface.
                then you see the alerts on that interface. for example```
                06/23/2017
                12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
                    50439 89.x.x.x
                  1433 1:2010935
                  ET POLICY Suspicious inbound to MSSQL port 1433

                the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule.

with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule.

or you just go to the snort alerts and click one of the red x for rule suppression/disabling.

                It gets a little better now, thx !

                @Birke do you add alerts to suppress list or disable rule?
                And I am assuming after I get no or low level of alert I'd enable Block Offenders in interfaces?

                Thx

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post