Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort on Pfsense 2.4.4

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 523 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      compuomari
      last edited by

      Hi Guys,

      The blocked tab in snort is takinig a very long time to load. IPS is tuned and doesnt have that much of entries. any ideas what could becausing this?

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @compuomari
        last edited by bmeeks

        @compuomari:

        How many blocked IPs do you have? And are you running any other package that might be generating and or maintaining large pf tables?

        There is a known issue with the pfctl utility when it is manipulating large tables in the pf firewall engine. That issue is being investigated by the pfSense team. The problem seems to have come over with the update to FreeBSD 11.3/STABLE. The BLOCKED tab calls the pfctl utility to grab the list of IP addresses currently held in the snort2c table Snort uses for blocking hosts.

        You really need to be running the periodic task to remove blocked hosts if you do not already have that enabled. Go to the GLOBAL SETTINGS tab and enable the option to "Remove Blocked Hosts" and set it to a reasonable interval. I suggest 1 hour as a good time. That is enough to discourage port scanners and the like. There is no reason whatsoever to keep IPs in the blocked table for days or weeks. If the offending IP targets your box again, Snort will block it again. The 1-hour suggested blocked host interval is plenty of time to leave an IP blocked.

        If you have the "Remove Blocked Hosts" option enabled and still have slow page loading on the BLOCKED tab, then how many IPs are in that list?

        1 Reply Last reply Reply Quote 0
        • C
          compuomari
          last edited by

          Hi, Thanks for your reply,

          I have 5-10 IP addresses in the block list. i also periodically flush that list. I am thinking of Pfblocker as i've recently added DNSBL lists, could those be the reason? otherwise my block lists are reasonable... i am not doing any reputation based blocking..

          would you like any logs from my system... if this may help?

          Cheers

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @compuomari
            last edited by

            @compuomari said in Snort on Pfsense 2.4.4:

            Hi, Thanks for your reply,

            I have 5-10 IP addresses in the block list. i also periodically flush that list. I am thinking of Pfblocker as i've recently added DNSBL lists, could those be the reason? otherwise my block lists are reasonable... i am not doing any reputation based blocking..

            would you like any logs from my system... if this may help?

            Cheers

            Yes, most definitely the DNSBL will cause the problem if you have lots of IP lists (and most folks do with that option).

            C 1 Reply Last reply Reply Quote 1
            • C
              compuomari @bmeeks
              last edited by

              @bmeeks Thank you very much, i will take off some lists and check what happens

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.