Snort on Pfsense 2.4.4
-
Hi Guys,
The blocked tab in snort is takinig a very long time to load. IPS is tuned and doesnt have that much of entries. any ideas what could becausing this?
-
How many blocked IPs do you have? And are you running any other package that might be generating and or maintaining large
pf
tables?There is a known issue with the
pfctl
utility when it is manipulating large tables in thepf
firewall engine. That issue is being investigated by the pfSense team. The problem seems to have come over with the update to FreeBSD 11.3/STABLE. The BLOCKED tab calls thepfctl
utility to grab the list of IP addresses currently held in the snort2c table Snort uses for blocking hosts.You really need to be running the periodic task to remove blocked hosts if you do not already have that enabled. Go to the GLOBAL SETTINGS tab and enable the option to "Remove Blocked Hosts" and set it to a reasonable interval. I suggest 1 hour as a good time. That is enough to discourage port scanners and the like. There is no reason whatsoever to keep IPs in the blocked table for days or weeks. If the offending IP targets your box again, Snort will block it again. The 1-hour suggested blocked host interval is plenty of time to leave an IP blocked.
If you have the "Remove Blocked Hosts" option enabled and still have slow page loading on the BLOCKED tab, then how many IPs are in that list?
-
Hi, Thanks for your reply,
I have 5-10 IP addresses in the block list. i also periodically flush that list. I am thinking of Pfblocker as i've recently added DNSBL lists, could those be the reason? otherwise my block lists are reasonable... i am not doing any reputation based blocking..
would you like any logs from my system... if this may help?
Cheers
-
@compuomari said in Snort on Pfsense 2.4.4:
Hi, Thanks for your reply,
I have 5-10 IP addresses in the block list. i also periodically flush that list. I am thinking of Pfblocker as i've recently added DNSBL lists, could those be the reason? otherwise my block lists are reasonable... i am not doing any reputation based blocking..
would you like any logs from my system... if this may help?
Cheers
Yes, most definitely the DNSBL will cause the problem if you have lots of IP lists (and most folks do with that option).
-
@bmeeks Thank you very much, i will take off some lists and check what happens