How to unblock IP on pfSense+Snort using API or command line ?

itmnetworks · May 20, 2022, 4:43 AM

Hello,

I need to create one way that I fill the blocked IP into one form on my NOC system and this IP need to be unblocked on Snort that running on pfSense.

I'm not found the documentation about pfSense + Snort API or command line

do you know how I can do this ?

very thanks,
Rodrigo

bmeeks · May 20, 2022, 1:32 PM

Yes, you can do this via a simple script using the pfctl utility. It will be up to you to figure out how to make it work in your NOC setup.

This is the command line to execute:

/sbin/pfctl -t snort2c -T delete {$ip}

where you replace {$ip} with the actual IP address you want removed. So assuming I wanted to "unblock" 10.10.1.1, I would execute:

/sbin/pfctl -t snort2c -T delete 10.10.1.1

Snort blocks by putting IP addresses into a predefined pf table called snort2c. You can list all of the IP addresses currently stored in that table, and thus get a list of currently "blocked" IPs, using this command:

/sbin/pfctl -t snort2c -T show

itmnetworks · May 21, 2022, 1:36 AM

@bmeeks perfect, very very very thanks