snort blocking dns servers



  • I have pfsense working as gateway and there working snort. When i have malware alert snort blocking dns server and internet stop working in all lan. Is it possible to only kill connections and not to ban ip ?



  • You need to examine the Snort rules that are alerting and blocking to determine if they are false positives in your environment. Google searches are a big help with this. There is also an old message thread in this forum about "suppress rules" for reducing false positives.

    You can also add the IP of your DNS server to a Pass List, although they should be included in the default pass list if the IP addresses are entered in the pfSense setup.



  • its other trouble - snort blocking dns ip address which is whitelisted in snort configuration.


  • Galactic Empire

    What rule is being triggered, if I try and ping fred.top I see the following in my logs but its not blocking:-

    0_1533636757230_Untitled.png



  • @rogg said in snort blocking dns servers:

    its other trouble - snort blocking dns ip address which is whitelisted in snort configuration.

    When Snort blocks on a triggered alert, it can block either the Source IP, Destination IP or Both depending on a setting on the Interface Configuration tab. As @NogBadTheBad stated, check the Alerts tab to see which rule or rules are being triggered and blocking. You can filter on the tab by IP address to help in locating rules with your DNS server IP in either the SRC or DST columns.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy