Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to get IP Attacker into the blocklist

    Scheduled Pinned Locked Moved IDS/IPS
    50 Posts 9 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ezvink
      last edited by

      I've tried to attack the webserver, and it worked. The alert from the attack was already in Snort/Suricata but the attacker's IP was not included in the blocklist.

      even though I have added a passlist with the attacker's IP

      S S 2 Replies Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        Services > Snort > Blocked Hosts

        You can try to look here for the host IP

        E 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @ezvink
          last edited by

          @ezvink If you've added the IP to the passlist then it shouldn't ever be blocked...?

          Is "Block Offenders" checked in your Suricata interface settings?

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          E 1 Reply Last reply Reply Quote 0
          • E
            ezvink @SteveITS
            last edited by

            @steveits
            ohh that passlist is not to add IP to be blocked sir? i see on youtube it works as an IP to be blocked.

            yes I checked "Block Offenders"

            johnpozJ S 2 Replies Last reply Reply Quote 0
            • E
              ezvink @A Former User
              last edited by

              @dobby_
              oke sir thankyou, i will try

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @ezvink
                last edited by

                @ezvink said in how to get IP Attacker into the blocklist:

                i see on youtube it works as an IP to be blocked.

                What video is this exactly? Its says to put things in the "passlist" to block them?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                E 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @ezvink
                  last edited by

                  @ezvink said in how to get IP Attacker into the blocklist:

                  ohh that passlist is not to add IP to be blocked sir?

                  There is no “block list” in an IDS program because one can just make a normal firewall rule to block the IP.

                  The Pass list is to always allow that IP.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  E 1 Reply Last reply Reply Quote 0
                  • E
                    ezvink @SteveITS
                    last edited by

                    @steveits
                    what I mean is like this, sir, when Suricata/snort detects the attacker's IP attack, it automatically enters the block list.

                    So what I want to ask is, how do I enter the attacker's IP into the blocklist? even though the IP attack was successfully detected but not included in the blocklist, even though the rule I made was also DROP not ALERT

                    this is a picture of the journal that I read, and the journal does not explain how to get the attacker's IP into the blocklist list.
                    6d6a1019-60d8-4085-9bff-6f58ee1d1bf2-image.png
                    2612b7a5-39b6-4976-affa-4abb7095c133-image.png

                    S 1 Reply Last reply Reply Quote 0
                    • E
                      ezvink @johnpoz
                      last edited by

                      @johnpoz
                      I saw the video on youtube, sir, who tried to attack using Suricata and added a passlist

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @ezvink
                        last edited by

                        @ezvink You aren’t supposed to enter any IPs manually.
                        Are you using Legacy mode (which adds it automatically) or Inline mode (which doesn’t use the block list, as noted in the screenshot, because the packet is simply dropped)?

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        E 1 Reply Last reply Reply Quote 0
                        • E
                          ezvink @SteveITS
                          last edited by

                          @steveits
                          I'm using legacy mode sir, but it doesn't have any effect.

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            serbus @ezvink
                            last edited by

                            Hello!

                            Snort IP rep lists might do what you want.
                            Check the docs

                            John

                            Lex parsimoniae

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @ezvink
                              last edited by bmeeks

                              @ezvink said in how to get IP Attacker into the blocklist:

                              @johnpoz
                              I saw the video on youtube, sir, who tried to attack using Suricata and added a passlist

                              I think you completely misunderstood the concept there. A Pass List is used to prevent an IP from being blocked. "Pass" means "to allow", so that means the traffic is not blocked but instead is allowed to pass when the IP is on a Pass List. You would use a Pass List when a rule is triggering for some host (possibly as a false positive), but you do not want that host to be blocked. IP addresses listed on an active Pass List will not be blocked, but they will still show up on the ALERTS tab when the alerting rule triggers.

                              If you want to block a specific IP, you can always create your own custom rule using the feature on the RULES tab (by selecting "Custom Rules" in the Category drop-down on that tab).

                              E 1 Reply Last reply Reply Quote 0
                              • S
                                SteveITS Galactic Empire @ezvink
                                last edited by

                                @ezvink Did you happen to click any of the [+] icons on the Alerts tab, to Suppress the alert? If you did then it won't trigger again. You can view that list on the Suppress tab.

                                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                Upvote 👍 helpful posts!

                                E 1 Reply Last reply Reply Quote 0
                                • E
                                  ezvink @bmeeks
                                  last edited by

                                  @bmeeks
                                  I've added a rule with DROP sir to the rules I created in the custom rule, but it's still not in the blockhost tab

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    ezvink @SteveITS
                                    last edited by

                                    @steveits
                                    if my attacker's IP has entered the suppress tab, is the IP blocked, sir?

                                    bmeeksB S 2 Replies Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks @ezvink
                                      last edited by

                                      @ezvink said in how to get IP Attacker into the blocklist:

                                      @steveits
                                      if my attacker's IP has entered the suppress tab, is the IP blocked, sir?

                                      No. A suppress list suppresses the alert and therefore any associated block.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        SteveITS Galactic Empire @ezvink
                                        last edited by

                                        @ezvink said in how to get IP Attacker into the blocklist:

                                        if my attacker's IP has entered the suppress tab, is the IP blocked

                                        No.

                                        The suppress list is for alerts that you never want to see again. Meaning, the alert is suppressed. Therefore, never blocked.

                                        If you want to block an attacking IP you don't enter it anywhere. You said you were using Legacy with blocking enabled, so if the attacker triggers an Alert then the IP appears on the Blocks tab.

                                        It sounds like you have created a custom rule. Is the rule being triggered? It is logged on the Alert tab?

                                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                        Upvote 👍 helpful posts!

                                        E 1 Reply Last reply Reply Quote 0
                                        • E
                                          ezvink @SteveITS
                                          last edited by

                                          @steveits
                                          I do not set anything else sir, I just leave the default.

                                          but it doesn't work on the suricata/snort I installed sir, can you help me find the point where the problem is?

                                          E johnpozJ 2 Replies Last reply Reply Quote 0
                                          • E
                                            ezvink @ezvink
                                            last edited by

                                            @ezvink
                                            This is the rule that I added sir, it can be detected and goes to alerts but doesn't go to the blockhost tab
                                            dfb4f1d0-cfe3-4151-b722-09b81de06e3d-image.png
                                            f6d6bd19-aea4-4d9c-9c35-4671a53336a7-image.png

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.