snort does not block



  • Hi folks,
    maybe you could help me to find out, why snort does not block and just creates an alarm.

    I used kali to scan my firewall, which was recorded under alarms, but the specific ports is not getting blocked.

    any idea?

    all software is latest

    13.JPG
    14.JPG



  • There are two possibilities for not blocking.

    Number one is did you actually enable blocking on the INTERFACE SETTINGS tab?

    If you did, the second possibility (and the more probable) is that your Kali host lies within your LAN subnet, and by default, the LAN subnet is on the default Pass List for an interface. So in your setup, any host with an IP address within the 192.168.0.0/24 network (I assume you have a /24 subnet) will not get blocked but will generate an alert. You have two ways to solve this. If possible, put your Kali host on a network that is not directly attached to your firewall so that the Kali host's IP address won't be on a default Pass List. The other way to solve the issue is to create a custom Pass List and remove you LAN subnet from the list. Be aware that this last option will result in lots of blocks for your LAN hosts.



  • ah okay, I think I got it.

    15.JPG

    so in that list i need to remove 192.168.0.0/24?



  • Yes, but you can't edit the displayed list directly. That "View List" button will not save any edits you make. It is strictly a read-only operation.

    Instead, you will need to go to the Pass Lists tab and create a new custom Pass List. In the dialog that opens when you click to create a new list, you will uncheck the box to "Include Locally-attached Networks". Save the new list. Then go back to the INTERFACE SETTINGS tab and in the Pass List drop-down selector choose the name of the newly created custom list. Save the change and then restart Snort on the interface.

    You really need to decide if doing all this is worth the hassle just so your Kali box on the same subnet can generate blocks. Your life will be much more pleasant if you leave the default settings alone. Snort on pfSense was designed with the thought of protecting LAN clients from outside threats (meaning hosts out on the Internet), not to protect LAN hosts from other LAN hosts.

    Oh, and not the button your red arrow points at. That is for HOME_NET. You want the PASS LIST button (third one down).



  • @bmeeks

    thanks a lot!


Log in to reply