Is it source or destination that gets added to blocked list ?


  • Hello,

    pfsense: 1.2.2
    snort: 2.8.4.1_1

    I receive the below alert when using the policy.rules/"smtp relaying denied" rule.
    I have checked the box ~"add alerts to block list", but it never gets added.

    08/25-10:59:28.522915 [ ** ] [ 1:1:1 ] POLICY SMTP relaying denied [ ** ] [ Classification: Misc activity ] [ Priority: 3 ] {TCP} 194.29.119.17:25 -> 193.183.18.10:45973

    The smtp filter checks outgoing traffic, so the 194.29.119.17 is my server. I want the destination IP added to the block list.

    So does pfSense only add the source (hence not adding myself, since that is my WAN ip), or does it add based on the $EXTERNAL_NET variable?

    I have tried having snort listening on both WAN/LAN/both interfaces.

    // BlackWand


  • I have found out that it is the snort2c that read the log and adds IPs to the block list.

    http://forum.pfsense.org/index.php?topic=4435.0;all

    This thread talks all about it, and mentions that the snort2c wont add remoteIP if my WAN (whitelisted) IP is in the source field.

    Where can one get the source for snort2c? Changing that single thing shouldn't be too hard, blocking on remote instead of source. In my case I will be running rules that ONLY checks outgoing traffic, like 2 rules, and only need the block remote part.


  • I also did find the source for snort2c, but I heard someone say that it is modified to better pfSense.

    Where can I get this modified source code ? I am interrested in editing it myself.


  • Here is where you can get the snort2c source code. http://snort2c.sourceforge.net/
    Im not sure what your asking about blocking source.

    Im moving the snort package to use spoink and snort-inline.

    James