Snort blocked hosts
-
This sounds like a simple question, but still...
Where and how snort keeps a list of blocked hosts?
Thx
-
Services -> Snort -> Global Settings -> Remove Blocked Hosts Interval << interval when the snort2c table entries are cleared
Services -> Snort-> Blocked Hosts
Diagnostics -> Tables -> Snort2c
-
@chudak said in Snort blocked hosts:
This sounds like a simple question, but still...
Where and how snort keeps a list of blocked hosts?
Thx
As @NogBadTheBad stated, Snort does not keep a list itself. Instead, when a block is required, Snort passes the IP address (or addresses) to the packet filter firewall engine in pfSense. Specifically Snort writes the addresses it wants blocked into a
pf
table called snort2c. This table is created by the pfSense code at bootup. So long as an IP remains in that table, the firewall will block it. Rebooting pfSense clears the table. It pulls the data from that alert line and uses it to provide some additional details about the blocked IP (which rule and what time, for example). It groups by the blocked IP, so you may see a number of alerts associated with a single blocked IP.To show you IP addresses being blocked on the BLOCKED tab, Snort simply reads the contents of the snort2c table (using a shell command) and writes the list of addresses to the screen. To obtain some "context" for each IP address by showing some additional info, Snort scans the currently active alerts log file and looks for any matching alerts where the IP address matches one of the IP addresses in the snort2c table.
-
Thx it makes sense
-
is there a way to make table snort2c persistent, e.g. survive reboot ?
-
@chudak said in Snort blocked hosts:
is there a way to make table snort2c persistent, e.g. survive reboot ?
No - and you are not the first to ask. This has been asked for many times. In my view, there is no need for such a complicated mechanism. If Snort blocked the traffic once, why would it not block it again? Why persist blocks across reboots? What useful purpose is served by loading up the firewall with thousands of previous IP blocks?
I don't mean to sound cranky (and I guess I do), but I truly see zero value in persisting snort2c blocks.
-
You sound fine no worries
And I’m actually not disagreeing on this point
Need to digest, but then to be consistent with this - why do we allow Remove Blocked Hosts Interval option? What do we need it for ? Snort blocks hosts for say 1 hour and automatically removes it and then if needed blocks again.How does that sound ?
PS: I’m not advocating for this change, just underlining the point.
-
@chudak said in Snort blocked hosts:
You sound fine no worries
And I’m actually not disagreeing on this point
Need to digest, but then to be consistent with this - why do we allow Remove Blocked Hosts Interval option? What do we need it for ? Snort blocks hosts for say 1 hour and automatically removes it and then if needed blocks again.How does that sound ?
PS: I’m not advocating for this change, just underlining the point.
Because Snort hands off the actual blocking to the firewall packet filter, there needs to be an option to clean up blocked IPs after some period of time. Snort can't just "drop" packets like Suricata Inline Mode can. Think of a Snort block as a temporary firewall rule that is put in place. That rule needs to expire after some interval. Generally something like 15, 30 or 60 minutes is a reasonable expiration time. That is long enough to discourage port scanners and bot scripts that are say knocking on a bunch of port doors looking for a way in.
It's true that Snort could hand the IP to the snort2c table and then clear it again almost immediately, but that would take a lot of extra processing on the part of Snort. Instead, Snort creates a cron task that uses the interval selected by the Clear Blocked Hosts setting. That cron task runs the
pfctl
utility to scan the snort2c table and remove any IP addresses that have not seen activity within the interval set by the Clear Blocked Hosts setting. So if the interval is set for 30 minutes, then only IP addresses that have not been seen in any traffic for the last 30 minutes will be cleared from the table.