Snort and blocking source/dest IP



  • Hello,

    I have tried out the snort-dev on a pfsense 1.2.2 RC1 and noticed that the snort is still only blocking source IP addresses that pops up in the alert log. When will there be a fix for this?

    // BlackWand



  • Actually, I was just to start a post about that. To me, it's working weird. I have 1.2.3-RC3 built on Mon Sep 14 23:09:32 UTC 2009 FreeBSD 7.2-RELEASE-p3 i386. Using snort-dev. Snort 2.8.4.1_1 pkg v. 1.6 Beta. here are my alerts:

    [ ** ] [ 122:3:0 ] (portscan) TCP Portsweep [ ** ]  
    [ Priority: 3 ]  
    09/18-19:01:19.050424 85.241.62.54 -> 4.79.142.202
    PROTO:255 TTL:0 TOS:0x0 ID:65441 IpLen:20 DgmLen:159 DF

    [ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
    [ Priority: 3 ]  
    09/18-19:08:12.845122 85.241.62.54 -> 212.55.154.190
    PROTO:255 TTL:0 TOS:0x0 ID:33868 IpLen:20 DgmLen:164

    [ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
    [ Priority: 3 ]  
    09/18-19:16:28.527528 85.241.62.54 -> 212.55.154.190
    PROTO:255 TTL:0 TOS:0x0 ID:26177 IpLen:20 DgmLen:164

    My ip is 85.241.62.54. I'm using pppoe on wan interface. I keep being blocked. bug maybe?



  • rc2 just got out… ;)



  • @Hugovsky:

    Actually, I was just to start a post about that. To me, it's working weird. I have 1.2.3-RC3 built on Mon Sep 14 23:09:32 UTC 2009 FreeBSD 7.2-RELEASE-p3 i386. Using snort-dev. Snort 2.8.4.1_1 pkg v. 1.6 Beta. here are my alerts:

    [ ** ] [ 122:3:0 ] (portscan) TCP Portsweep [ ** ]  
    [ Priority: 3 ]  
    09/18-19:01:19.050424 85.241.62.54 -> 4.79.142.202
    PROTO:255 TTL:0 TOS:0x0 ID:65441 IpLen:20 DgmLen:159 DF

    [ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
    [ Priority: 3 ]  
    09/18-19:08:12.845122 85.241.62.54 -> 212.55.154.190
    PROTO:255 TTL:0 TOS:0x0 ID:33868 IpLen:20 DgmLen:164

    [ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
    [ Priority: 3 ]  
    09/18-19:16:28.527528 85.241.62.54 -> 212.55.154.190
    PROTO:255 TTL:0 TOS:0x0 ID:26177 IpLen:20 DgmLen:164

    My ip is 85.241.62.54. I'm using pppoe on wan interface. I keep being blocked. bug maybe?

    Hugovsky

    Your ip should be white listed automatically. Send me a PM with the out put of this.

    cat  "/var/db/whitelist"

    James



  • @Hostmaster:

    Hello,

    I have tried out the snort-dev on a pfsense 1.2.2 RC1 and noticed that the snort is still only blocking source IP addresses that pops up in the alert log. When will there be a fix for this?

    // BlackWand

    Its on my TODO list, I have to code custom C++ code into the source code of snort.

    Be patient

    James



  • Seems to be working just fine in RC2. I'll update as soon as news show up.



  • jamesdean, ok. Good to know its at least on the TODO-list.  ;D


Log in to reply