Snort v3.2.9.9 - not blocking?



  • Has anyone else encountered that post upgrade to this version that blocking appears to be no longer occurring? The prior version (automated block was for 15 minutes), commonly had 25-100 blocked addresses. Post upgrade - have not seen anything blocked, across a couple days, despite increasing the block duration to 1 day. Alert log is empty as well. There were no configuration changes made over the course of those days after upgrade, with the exception of increasing the block duration in an attempt to determine if any sites were being actively blocked. Usually check the Services -> Snort -> Blocked (and Alerts) multiple times a day and it remains "empty".

    Just concerning when numerous entries would appear throughout the course of an average day and now - no entries appear despite increasing the block duration (in an attempt to see that blocks are occurring).

    Have since also tried: deleting the configuration, reboot, created a new interface configuration with numerous categories selected and rebooted again for good measure. Still nothing in the alert or blocked list for Snort. An additional attempt was to disable pfBlockerNG - to see if any blocks were to appear and after a couple hours with a decent amount of traffic, still nothing appearing as blocked.

    Any suggestions on diagnostic options?

    Also - anyone happen to know the process to "downgrade" to the prior version?

    Thanks!



  • Hi bmeeks,

    Suricata 4.1.4_5 can't show outbound block in legacy mode, as the attachment, all outbound blocklist disappear, only inbound ip have blocked.

    2.jpg
    1.jpg



  • @justme2 said in Snort v3.2.9.9 - not blocking?:

    Has anyone else encountered that post upgrade to this version that blocking appears to be no longer occurring? The prior version (automated block was for 15 minutes), commonly had 25-100 blocked addresses. Post upgrade - have not seen anything blocked, across a couple days, despite increasing the block duration to 1 day. Alert log is empty as well. There were no configuration changes made over the course of those days after upgrade, with the exception of increasing the block duration in an attempt to determine if any sites were being actively blocked. Usually check the Services -> Snort -> Blocked (and Alerts) multiple times a day and it remains "empty".

    Just concerning when numerous entries would appear throughout the course of an average day and now - no entries appear despite increasing the block duration (in an attempt to see that blocks are occurring).

    Have since also tried: deleting the configuration, reboot, created a new interface configuration with numerous categories selected and rebooted again for good measure. Still nothing in the alert or blocked list for Snort. An additional attempt was to disable pfBlockerNG - to see if any blocks were to appear and after a couple hours with a decent amount of traffic, still nothing appearing as blocked.

    Any suggestions on diagnostic options?

    Also - anyone happen to know the process to "downgrade" to the prior version?

    Thanks!

    I just checked my SG-5100 running pfSense-2.4.4_3 and Snort-3.2.9.9 and I am getting blocks. Just to be sure, I removed all blocks and then watched. Two new blocks appeared about 30 seconds later. I run a set of Emerging Threats rules on my WAN specifically to generate blocks on normal Internet noise so I have data for testing and development.

    I just checked once more right before submitting this post and the blocked IP count is up to five. That would indicate the code is functioning properly.



  • @everfree :
    I don't understand your question. What do you mean "outbound block list disappear"? That makes no sense to me.



  • @bmeeks
    163.22.0.0/16 is my passlist, others should be blocked ip, you can see picture2, all blue include 4.16.75.8 and 149.56.129.211. the two ip is not in mypasslist. so the two ip should be blocked but not. It also not show x icon in two ip.



  • @everfree said in Snort v3.2.9.9 - not blocking?:

    @bmeeks
    163.22.0.0/16 is my passlist, others should be blocked ip, you can see picture2, all blue include 4.16.75.8 and 149.56.129.211. the two ip is not in mypasslist. so the two ip is not blocked.

    Do you have the "Which IP to Block" setting on BOTH (that is the default). Also, do you have the automatic blocked IP cron task configured? That is on the GLOBAL SETTINGS tab. When set to any interval other than NONE, it will create a cron task that removes IP addresses from the snort2c table (and thus the list of blocked IPs on the BLOCKED tab) if they have not seen additional traffic within the specified interval.

    Once Snort sees an alert, it pulls out the IP addresses, removes those not on a Pass List, and then passes the result to the pf packet filter firewall to be blocked. It does that by making a FreeBSD system call to copy the IP address to be blocked into the snort2c table. After that Snort fogets about the IP. When you display the list of "blocked" IP addresses on the BLOCKED tab all the PHP code does is ask FreeBSD to dump out the contents of the snort2c table. Three things can clear that table: 1) manual action by the user; 2) the cron task mentioned in the previous paragraph; or 3) a reboot of the firewall.



  • 183.134.99.98 should be blocked, and it should have x (remove from blocked list) icon

    3.jpg



  • @everfree said in Snort v3.2.9.9 - not blocking?:

    183.134.99.98 should be blocked, and it should have x (remove from blocked list) icon

    3.jpg

    You must have a configuration issue somewhere on your system. My firewall is working just fine and I have the latest Snort package version. As I mentioned up above for user @justme2, I purposefully cleared out all of my blocked IPs and then waited to see if they would re-populate. They have. I currently am showing 16 new blocked IP addresses, and they are also properly marked with the red X icon on the ALERTS tab.

    That tells me the code is working fine. You need to look carefully through your configuration to see what's up with your firewall.



  • OK - that's what I needed to know. I'll go back and review the config. Curious what about the config wasn't liked by the newer version, however restoring the functionality is more important. I'll completely uninstall snort (removing config and logs) and then start again.

    Thanks!



  • Before I update to newest version, it works. I use the config very long about 2 years. I did not meet this issue. I use suricata not snort..........



  • Suricata 4.1.4_5

    Legacy Mode blocking not actually blocking offender IPs in some setups. I have the "Which IP to Block" setting on BOTH. I think it is not fixed fully.



  • @everfree said in Snort v3.2.9.9 - not blocking?:

    Suricata 4.1.4_5

    Legacy Mode blocking not actually blocking offender IPs in some setups. I have the "Which IP to Block" setting on BOTH. I think it is not fixed fully.

    You posted in a Snort 3.2.9.9 thread, so I read your initial post quickly and missed the Suricata part in the message. Sorry about that. I automatically assumed you were posting about a Snort issue. I get a lot of messages from various users and sometimes get all the different posts confused.

    I will need to check on Suricata using a test VM. Just noticed this post this morning in another thread for a different user: https://forum.netgate.com/topic/145891/my-suricata-not-blocking-legacy-mode. Look in your suricata.log file for the interface and see if a similar message is shown for your system.


Log in to reply