Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    snort2c host block

    Firewalling
    4
    6
    504
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lightingman117
      last edited by lightingman117

      I have some rule blocking access to websites:

      "Block snort2c hosts (1000000110)"

      I don't have snort, pfblocker, suricata (I uninstalled the packages trying to get rid of this error).

      I had suricata running in disabled mode previously.
      I ran into this error before, but I restarted the FW thinking this was a DNS glitch. It was fixed for about a week. Now it's happening again.

      My firewall rules are very straight-forward.
      "Allow All - any, any."

      40ee93b9-3e9f-410f-b5d6-0eec65cdd3ee-image.png

      S NogBadTheBadN 2 Replies Last reply Reply Quote 0
      • L
        lightingman117
        last edited by

        the last rule is only me trying to make it go away.

        4e9d0530-15a9-48b4-a813-4f02a4a24694-image.png

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @lightingman117
          last edited by

          @lightingman117 said in snort2c host block:

          suricata (I uninstalled the packages

          The snort2c table is used by Suricata internally since most of the code is similar to the Snort package (same maintainer). Not sure how it could have entries....maybe it had a block in it at uninstall time, and if Suricata is removed then Suricata wouldn't prune out expired blocks??

          You might try installing Suricata again, and uncheck the option "Keep Suricata Settings After Deinstall" on the Global Settings page, and then uninstall.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @lightingman117
            last edited by

            @lightingman117 have you tried emptying the snort2c table via Diagnostics -> Tables

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @NogBadTheBad
              last edited by

              @nogbadthebad Ha, I actually did look at that but my snort2c was empty, some others (pfB tables) just had an Update option, and others had no button. Guess I didn't click enough to find one that showed the Empty button. But it does exist. :)

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by bmeeks

                The snort2c table is automatically created by pfSense no matter if the Snort or Suricata packages are installed or not. That table is a default construct in the firewall initialization logic. There is a built-in pfSense pf firewall rule that references that table name. Any IP address placed in that table is blocked. The table is cleared each time pfSense is rebooted, or it can be cleared by manual user action (under DIAGNOSTICS > TABLES you can select the table for viewing and then clear it out).

                Once an IP address is placed in that table by a Snort or Suricata installation, it remains there until manually removed or the firewall is rebooted. Thus simply removing the Snort or Suricata package or stopping the associated service will not necessarily clear the table. So blocks can remain even after the package is removed. There is an option on the GLOBAL SETTINGS tab of Snort to clear blocks when uninstalling the package. Suricata does not have this option, but I will add it to a future package update.

                1 Reply Last reply Reply Quote 1
                • L lightingman117 referenced this topic on
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.