What is Snort Blocking Right Now?



  • My wife has an app on her phone. Its doesn't work properly on our pfSense w/Snort network. But it does work fine over Cell Data and our friends Wifi. So I'm thinking Snort has blocked something.
    But I can't figure out how to determine what IP Address is being block 'right now' (ie: when she's trying to use her app). The Snort alerts are over an hour old.
    I know this should be painfully obvious, but I just can't find it. And Googling hasn't turned up any clues.
    Thanks, in advance, for your help!



  • @LianYu4:

    My wife has an app on her phone. Its doesn't work properly on our pfSense w/Snort network. But it does work fine over Cell Data and our friends Wifi. So I'm thinking Snort has blocked something.
    But I can't figure out how to determine what IP Address is being block 'right now' (ie: when she's trying to use her app). The Snort alerts are over an hour old.
    I know this should be painfully obvious, but I just can't find it. And Googling hasn't turned up any clues.
    Thanks, in advance, for your help!

    There is a tab called BLOCKS.  That tab shows the list of IP addresses that are currently being blocked along with the rule (or rules) that triggered the block.  You should also configure the "Clear Blocked Hosts" setting on the GLOBAL SETTINGS tab to something like 15 minutes or maybe up to an hour.  This will automatically remove blocked hosts after the specified period if those hosts have not seen traffic during the period.

    You can manually remove blocks on the BLOCKS tab as well by clicking the icon next to the block.

    Bill



  • Thanks. But I already know about the block tab. I don't want to remove all of them.
    My question was how can I see which is address is being blocked this instant. Then I can unblock just that one… because I don't know which one is required for her app to run properly.
    Plus, if I just unblock all of them, instead of whitelisting just the one, then it'll just get blocked again.



  • @LianYu4:

    Thanks. But I already know about the block tab. I don't want to remove all of them.
    My question was how can I see which is address is being blocked this instant. Then I can unblock just that one… because I don't know which one is required for her app to run properly.
    Plus, if I just unblock all of them, instead of whitelisting just the one, then it'll just get blocked again.

    With Snort there is no such thing as "… address being blocked this instant.".  All of the IP addresses shown are being blocked continuously until they are removed.  If you want to see the most recent one, then look on the ALERTS tab.  Alerts are shown with most recent first.

    I don't mean to sound rude or condescending, but from your explanation of your problem I don't think you are ready to use Snort in blocking mode yet.  You need to run it in IDS, or non-blocking mode, for several weeks and study the various alerts you receive.  You can use Google searches to help you decide which alerts are potential false-positives for your environment.  That will help you tune your rule set properly.  One you understand how your rule set interacts with your network environment and have suppressed rules prone to false positive on your network, then you can enable blocking mode.

    Bill



  • Maybe I'm using the wrong terminology. What I mean by 'being blocked this instant' is when her apps tries to run, its trying to connect to an IP address and Snort is blocking it. I don't know what that IP address as the App doesn't list what servers it connects to. I don't know what IP Address Snort is blocking the response from because there is nothing in Snort, or the Diagnostics tab that shows remote IP addresses that are sending (or trying to send) packets to my router. Even on the Status/Traffic Graphs tab, none of the IP addresses popping up on the WAN adapter match anything in the Snort Blocked sites list - all done while I'm using her app and watching it fail.
    So its all smoke and mirrors to me.
    There is apparently no tool or function to list all incoming packet's source IP address (blocked or not). Personally, I don't understand this (maybe I'm being naive and stupid). I don't get why a enterprise level router, like pfSense, doesn't have this ability. 
    If the Alerts in Snort don't show an Alert of incoming traffic that is being being blocked, only random old data, then what use is it?
    None of the Snort alerts correspond to any of the times I tried her app and watched it fail.
    So, how do I know Snort is blocking her app? I KILLED all the Snort block and magically her app started working again…at least until Snort starts blocking it again because at some point it will do something Snort doesn't like, again.
    What is the app doing that Snort doesn't like? I have no fracken clue.
    What IP address is Snort blocking? I have no facken clue.
    IMO, is Snort user friendly? Heck No
    It's a black box.



  • @LianYu4:

    Maybe I'm using the wrong terminology. What I mean by 'being blocked this instant' is when her apps tries to run, its trying to connect to an IP address and Snort is blocking it. I don't know what that IP address as the App doesn't list what servers it connects to. I don't know what IP Address Snort is blocking the response from because there is nothing in Snort, or the Diagnostics tab that shows remote IP addresses that are sending (or trying to send) packets to my router. Even on the Status/Traffic Graphs tab, none of the IP addresses popping up on the WAN adapter match anything in the Snort Blocked sites list - all done while I'm using her app and watching it fail.
    So its all smoke and mirrors to me.
    There is apparently no tool or function to list all incoming packet's source IP address (blocked or not). Personally, I don't understand this (maybe I'm being naive and stupid). I don't get why a enterprise level router, like pfSense, doesn't have this ability. 
    If the Alerts in Snort don't show an Alert of incoming traffic that is being being blocked, only random old data, then what use is it?
    None of the Snort alerts correspond to any of the times I tried her app and watched it fail.
    So, how do I know Snort is blocking her app? I KILLED all the Snort block and magically her app started working again…at least until Snort starts blocking it again because at some point it will do something Snort doesn't like, again.
    What is the app doing that Snort doesn't like? I have no fracken clue.
    What IP address is Snort blocking? I have no facken clue.
    IMO, is Snort user friendly? Heck No
    It's a black box.

    The IP that Snort blocked will be shown in two places.  One is on the ALERTS tab and the other is on the BLOCKS tab.  They are as plain as day to see there if you go look.  Both tabs show you the blocked address, and the ALERTS tab shows you both the source and destination IP addresses (if you are running Snort on the LAN interface as I recommend).  If you are running Snort on the WAN, then the only local IP address you will see is your WAN IP.

    Snort and Suricata are not like an anti-virus client.  You can't just install the package, download all the rules and call it done.  Both packages are designed for security admins with training on IDS/IPS operation, rule selection and tuning.  If you don't want to take the time to do all the research to learn how to do these things, running either of those packages is not going to be fun for you.  You are going to get lots of blocks from false positives.  These packages are really not intended for use on home networks unless your day job is an IDS/IPS admin.

    Bill



  • Instead of unblocking all, you should unblock them one at a time (clicking the red x) until you find which was the correct IP address.



  • @NollipfSense:

    Instead of unblocking all, you should unblock them one at a time (clicking the red x) until you find which was the correct IP address.

    Thank you, NollopfSense, I will go through those steps next time Snort blocks this app. Your suggestion, unlike bmeeks, your suggestion was actually helpful and not derogatory.

    I was hoping there was some real-time monitor function where I could see which internet ip address Snort was receiving packs from and blocking. But apparently not.

    Thanks again.


  • Galactic Empire

    @LianYu4:

    Your suggestion, unlike bmeeks, your suggestion was actually helpful and not derogatory.

    You do realise Bill created the Snort package for pfSense don't you?

    I don't think Bills comments were derogatory at all, snort can be quite a complex thing to set up and he's quite correct the best thing to start off with is non blocking then disable the rules, if you do it the other way your constantly chasing your tail :)


  • Galactic Empire Netgate Banned

    He will now or during the next 30 days. I went through this discussion and I can only see Bill and you taking time to explain how Snort works.

    Thank you to both of you for trying to help :)



  • Read through these forums on IDS/IPS, you will notice a trend that Bill is more than helpful. I've learned so much just reading through other people's issues as well as my own. Bill goes out of his way to not be condescending, but sometimes stating things in forums may seem that way. Unfortunately, you can't type tone.

    NollipfSense has great advice for this instance and in general when trying to isolate a specific case. Bill's advice is really the only long term solution. I went through the same troubles for a long time till I got my IPS working the way it does now. It takes time for trial, error, reading, more errors, more reading, watch some videos on it, and so on.

    Good luck


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy