Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird issue in 2.5.2. Suricata wont lift blocks and routing stops to internal mailserver.

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 764 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Cool_CoronaC
      Cool_Corona
      last edited by

      Only thing to solve it, is to reboot.

      Only 20 days uptime since last reboot.

      Nothing unusual to see and report. Everything looks normal.

      Routing to other services behind the FW works with no issues.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Cool_Corona
        last edited by

        @cool_corona In Global Settings, what is "Remove Blocked Hosts Interval" set to?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        Cool_CoronaC 1 Reply Last reply Reply Quote 0
        • Cool_CoronaC
          Cool_Corona @SteveITS
          last edited by Cool_Corona

          @steveits Never but deleting blocks manually and restarting Suricata doesnt clear it. Only a reboot will.

          And I only have one Suricata process running.

          fireodoF S bmeeksB 3 Replies Last reply Reply Quote 0
          • fireodoF
            fireodo @Cool_Corona
            last edited by

            @cool_corona said in Weird issue in 2.5.2. Suricata wont lift blocks and routing stops to internal mailserver.:

            @steveits Never but deleting blocks manually and restarting Suricata doesnt clear it. Only a reboot will.

            And I only have one Suricata process running.

            Hi, no answer to your question but why dont you put your question on the IDS/IPS category so @bmeeks can look at it?

            Have a fine weekend,
            fireodo

            Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
            SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
            pfsense 2.7.2 CE
            Packages: Apcupsd Cron Iftop Iperf LCDproc Nmap pfBlockerNG RRD_Summary Shellcmd Snort Speedtest System_Patches.

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @Cool_Corona
              last edited by

              @cool_corona Hmm well I’ve not set to never do have no experience. But we delete blocks all the time.

              After deleting a block is the ip still in the table when viewed via Diagnostics? I believe it’s the snort2c table or similarly named.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 1
              • bmeeksB
                bmeeks @Cool_Corona
                last edited by

                @cool_corona said in Weird issue in 2.5.2. Suricata wont lift blocks and routing stops to internal mailserver.:

                @steveits Never but deleting blocks manually and restarting Suricata doesnt clear it. Only a reboot will.

                And I only have one Suricata process running.

                What happens after the reboot? Does the block return quickly?

                You may simply have repeated triggers of the same rule causing recurring blocks. The "auto-remove blocks" cron task will only remove IP addresses that have not seen any further traffic since the initial block. So if the "remove blocked hosts" setting is configured for one hour, then the task will only remove IP addresses from the table that have not seen traffic for the last hour or more. If traffic is still repeatedly hammering the blocked IP, it should stay in the table and not be cleared. This is a FreeBSD system function, it is not a part of the Snort or Suricata packages. The IDS/IPS packages simply call that FreeBSD system function via a call to the pfctl packet filter utility to do the work.

                While the block is in place, go to DIAGNOSTICS > TABLES and select the snort2c table in the drop-down there. You will see a list of the IP addresses currently in that table. These are the IPs being "blocked" at that time. You can manually remove IP addresses there. Try that and see it it works.

                Cool_CoronaC 1 Reply Last reply Reply Quote 0
                • Cool_CoronaC
                  Cool_Corona @bmeeks
                  last edited by

                  @bmeeks HI Bill

                  No blocks as of yet. Its been 23 hrs since reboot and everything is running as it should.

                  No issues with the service behind pfsense since reboot.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.