Why SNORT do not block IP ?
-
Hi all,
I recently install pfsense lastest version, and SNORT activated. I was before on Smoothwall and saw IP blocked the day after the install. But now, i can't see IP blocked with pfSense. I don't believe that nobody is aggressing my firewall :-)
If i select icmp rules to be enabled, i can see some blocked IP. But each time i try to connect to a site, i can see after a couple of minutes the IP blocked by SNORT. It means that blocking works.
Another problem, each time i modifiy something in SNORT, the service stop and don't restart, even if i click on the start button, the message "Snort have been started" is present, but service don't run.
Is this an issue or a missing configuration ?
Thanks for your help
Julien
-
What version of snort are you running and what pfsense version ?
-
Hi,
pfSense 1.2.2 and SNORT 2.8.2.6.
-
OK, i found the solution in the forum, it seems that there is a ; after a & and it must be deleted in the /usr/local/rc.d/snort.sh file. But after a couple of hours, i still don't see any alert and any blocked IP (and it was a hudge with SmoothWall).
Is there someone who found the solution to this issue ?
Regards
-
Type; ps -aux | grep snort and tell me what you see.
You should see this in the pfsense terminal.
root 54702 0.0 17.3 77192 43184 ?? Ss Wed12PM 0:33.46 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i ng0 -A fast
root 54727 0.0 0.4 3132 892 ?? Is Wed12PM 0:00.00 snort2c -w /var/db/whitelist -a /var/log/snort/alert -
It seems to be OK :
root 2712 100.0 74.1 557284 281852 ?? Rs 9:15PM 4:34.00 snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i rl1 -A fast
root 3276 0.0 0.2 3132 748 ?? Is 9:18PM 0:00.00 snort2c -w /var/db/whitelist -a /var/log/snort/alertIt was working today, i saw blocked IP, but after the reboot, and even after modified again the file, i can't see any alerts. I use shields UP to generate a lot of connection, it was blocked this morning, but not this evening ???
-
I tried several times… Ans always the same problem. A lot of difficulty to start SNORT :
snort[27866]: FATAL ERROR: Failed to Lock PID File "/var/run//snort_rl1.pid" for PID "27866"
I think about uninstall this tool, and wait for a patch available !
-
Here is the patch I submitted to the core team and I plan to add others. They seem really busy so don't know when will see them, hopefully soon.
One side note, you do know that Blocked Ips get removed after an hour.Just replace the red with the green in your snort.inc
https://rcs.pfsense.org/projects/pfsense-packages/repos/robiscool-clone/commits/58cdea65b46e26a946013207abc96a59b178602d
-
Thanks a lot four your reply. I will test it and keep you informed.
Yes, i already know that IP are blocked for 1 hour, but in my case, even not 1 minute :)Cheers
-
:-[ Not working. It's ok at the beginning but each time i modify something, the service do not block IP. And also i have some difficulty with POP, remote server are blocked by SNORT (whitout the POP rules checked).
Anyway, i won't use it, that's all !Thnaks anyway for your help ! ;)