Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort does not block

    IDS/IPS
    2
    5
    598
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pooperman
      last edited by

      Hi folks,
      maybe you could help me to find out, why snort does not block and just creates an alarm.

      I used kali to scan my firewall, which was recorded under alarms, but the specific ports is not getting blocked.

      any idea?

      all software is latest

      13.JPG
      14.JPG

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        There are two possibilities for not blocking.

        Number one is did you actually enable blocking on the INTERFACE SETTINGS tab?

        If you did, the second possibility (and the more probable) is that your Kali host lies within your LAN subnet, and by default, the LAN subnet is on the default Pass List for an interface. So in your setup, any host with an IP address within the 192.168.0.0/24 network (I assume you have a /24 subnet) will not get blocked but will generate an alert. You have two ways to solve this. If possible, put your Kali host on a network that is not directly attached to your firewall so that the Kali host's IP address won't be on a default Pass List. The other way to solve the issue is to create a custom Pass List and remove you LAN subnet from the list. Be aware that this last option will result in lots of blocks for your LAN hosts.

        1 Reply Last reply Reply Quote 1
        • P
          pooperman
          last edited by

          ah okay, I think I got it.

          15.JPG

          so in that list i need to remove 192.168.0.0/24?

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            Yes, but you can't edit the displayed list directly. That "View List" button will not save any edits you make. It is strictly a read-only operation.

            Instead, you will need to go to the Pass Lists tab and create a new custom Pass List. In the dialog that opens when you click to create a new list, you will uncheck the box to "Include Locally-attached Networks". Save the new list. Then go back to the INTERFACE SETTINGS tab and in the Pass List drop-down selector choose the name of the newly created custom list. Save the change and then restart Snort on the interface.

            You really need to decide if doing all this is worth the hassle just so your Kali box on the same subnet can generate blocks. Your life will be much more pleasant if you leave the default settings alone. Snort on pfSense was designed with the thought of protecting LAN clients from outside threats (meaning hosts out on the Internet), not to protect LAN hosts from other LAN hosts.

            Oh, and not the button your red arrow points at. That is for HOME_NET. You want the PASS LIST button (third one down).

            P 1 Reply Last reply Reply Quote 1
            • P
              pooperman @bmeeks
              last edited by

              @bmeeks

              thanks a lot!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.