"Block snort2c hosts" error
-
Hello all,
I am new user of snort + pfsense, set them up and have running seemingly fine, however on some websites (example http://beta.speedtest.net/) I get error and in the log see block https://snag.gy/hVPCbq.jpg, website actually shows squid error "The system returned: (13) Permission denied", but I suspect it maybe secondary error, any clues appreciated
Thx
-
have you checked the alerts/blocks under services -> snort?
the message in system log only says that snort put the site/ip on its own blocklist. the reason can be seen in snort itself. -
Where can i see all info?
Say I see blocked IPs https://snag.gy/s7RPen.jpg, how do I correlate this to whatever options/rules/logs etc if I want to suppress this block or change settings ?
I am looking for a way copy message from snort and be able to follow it till the initial rule.
Is it possible ?
-
just look unter snort alerts and there select your wan interface.
then you see the alerts on that interface. for example```
06/23/2017
12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
50439 89.x.x.x
1433 1:2010935
ET POLICY Suspicious inbound to MSSQL port 1433the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule. with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule. or you just go to the snort alerts and click one of the red x for rule suppression/disabling.
-
thx
My issues is that if I look at https://snag.gy/s7RPen.jpg and copy string from there I can not find anything matching under alerts ?!
-
just look unter snort alerts and there select your wan interface.
then you see the alerts on that interface. for example```
06/23/2017
12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
50439 89.x.x.x
1433 1:2010935
ET POLICY Suspicious inbound to MSSQL port 1433the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule. with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule. or you just go to the snort alerts and click one of the red x for rule suppression/disabling.
It gets a little better now, thx !
@Birke do you add alerts to suppress list or disable rule?
And I am assuming after I get no or low level of alert I'd enable Block Offenders in interfaces?Thx