"Block snort2c hosts" error



  • Hello all,

    I am new user of snort + pfsense, set them up and have  running seemingly fine, however on some websites (example http://beta.speedtest.net/) I get error and in the log see block  https://snag.gy/hVPCbq.jpg, website actually shows squid error "The system returned: (13) Permission denied", but I suspect it maybe secondary error, any clues appreciated

    Thx



  • have you checked the alerts/blocks under services -> snort?
    the message in system log only says that snort put the site/ip on its own blocklist. the reason can be seen in snort itself.



  • Where can i see all info?

    Say I see blocked IPs https://snag.gy/s7RPen.jpg, how do I correlate this to whatever options/rules/logs etc if I want to suppress this block or change settings ?

    I am looking for a way copy message from snort and be able to follow it till the initial rule.

    Is it possible ?



  • just look unter snort alerts and there select your wan interface.
    then you see the alerts on that interface. for example```
    06/23/2017
    12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
        50439 89.x.x.x
      1433 1:2010935
      ET POLICY Suspicious inbound to MSSQL port 1433

    the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule.
    
    with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule.
    
    or you just go to the snort alerts and click one of the red x for rule suppression/disabling.


  • thx

    My issues is that if I look at https://snag.gy/s7RPen.jpg  and copy string from there I can not find anything matching under alerts ?!



  • @Birke:

    just look unter snort alerts and there select your wan interface.
    then you see the alerts on that interface. for example```
    06/23/2017
    12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
        50439 89.x.x.x
      1433 1:2010935
      ET POLICY Suspicious inbound to MSSQL port 1433

    the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule.
    
    with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule.
    
    or you just go to the snort alerts and click one of the red x for rule suppression/disabling.
    

    It gets a little better now, thx !

    @Birke do you add alerts to suppress list or disable rule?
    And I am assuming after I get no or low level of alert I'd enable Block Offenders in interfaces?

    Thx


Log in to reply