Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Detecting a Block Event in logs from Snort

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      greaseball
      last edited by

      I have pfSense sending Everything from the logs to a syslog instance on an SIEM server. The alerts are showing up without any issues, I can query the logs and look at events Snort has detected.

      Does anyone know if there are any specific messages/logs that occur when an IP ends up on the Snort block list? I wanted to have an alert on the SIEM trigger whenever an IP ends up on the block list, but I cannot locate anything specific in the logs stating that it has begun to block an IP.

      Thanks.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @greaseball
        last edited by bmeeks

        @greaseball
        With Snort in blocking mode, every alert shown on the ALERTS tab will generate a block of the corresponding IP addresses. The only exception is if the IP address is on a Pass List.

        There is no separate log of "blocks". When you view blocked IP addresses on the BLOCKS tab all that code is doing is reading the contents of the pf table snort2c and displaying it. The code also reads the alert log file to find the matching IP addresses (if the log has not been rotated such that the IP addresses no longer appear in the active log) and displays some of the alert event information by reading it from the alerts log.

        Just one more piece of advice -- you will quickly come to regret this: I wanted to have an alert on the SIEM trigger whenever an IP ends up on the block list. Unless you get like one or two alerts per day this will very quickly get old and you will become numb to the alerts. Much like the fable of the boy who cried wolf. On a busy network you can get some many alerts each day that you get overwhelmed. Every new security admin thinks this is a great idea until they actually implement it and have their Inbox slammed. It's much better to have your SIEM generate a daily report and perhaps group alerts by priority or something. You then review the previous day's report when you get in each morning. Maybe having one or two very sensitive hosts that you monitor alert-by-alert might make sense, but practically never for an entire network with lots of clients.

        G 1 Reply Last reply Reply Quote 1
        • G
          greaseball @bmeeks
          last edited by

          @bmeeks

          Thank bmeeks. I agree that the alerts can be overwhelming. To that effect, I have a rule set up to put alert e-mails into a particular folder so they don't pummel my Inbox.

          This is something I wanted to set-up for a few days, more of an observation than anything else.

          Thanks for taking the time to reply, your answer gave me a little better understanding of the architecture of pfSense.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.