Detecting a Block Event in logs from Snort
-
I have pfSense sending Everything from the logs to a syslog instance on an SIEM server. The alerts are showing up without any issues, I can query the logs and look at events Snort has detected.
Does anyone know if there are any specific messages/logs that occur when an IP ends up on the Snort block list? I wanted to have an alert on the SIEM trigger whenever an IP ends up on the block list, but I cannot locate anything specific in the logs stating that it has begun to block an IP.
Thanks.
-
@greaseball
With Snort in blocking mode, every alert shown on the ALERTS tab will generate a block of the corresponding IP addresses. The only exception is if the IP address is on a Pass List.There is no separate log of "blocks". When you view blocked IP addresses on the BLOCKS tab all that code is doing is reading the contents of the pf table snort2c and displaying it. The code also reads the alert log file to find the matching IP addresses (if the log has not been rotated such that the IP addresses no longer appear in the active log) and displays some of the alert event information by reading it from the alerts log.
Just one more piece of advice -- you will quickly come to regret this: I wanted to have an alert on the SIEM trigger whenever an IP ends up on the block list. Unless you get like one or two alerts per day this will very quickly get old and you will become numb to the alerts. Much like the fable of the boy who cried wolf. On a busy network you can get some many alerts each day that you get overwhelmed. Every new security admin thinks this is a great idea until they actually implement it and have their Inbox slammed. It's much better to have your SIEM generate a daily report and perhaps group alerts by priority or something. You then review the previous day's report when you get in each morning. Maybe having one or two very sensitive hosts that you monitor alert-by-alert might make sense, but practically never for an entire network with lots of clients.
-
Thank bmeeks. I agree that the alerts can be overwhelming. To that effect, I have a rule set up to put alert e-mails into a particular folder so they don't pummel my Inbox.
This is something I wanted to set-up for a few days, more of an observation than anything else.
Thanks for taking the time to reply, your answer gave me a little better understanding of the architecture of pfSense.