Snort and blocking source/dest IP

Hostmaster

Hello,

I have tried out the snort-dev on a pfsense 1.2.2 RC1 and noticed that the snort is still only blocking source IP addresses that pops up in the alert log. When will there be a fix for this?

// BlackWand

Hugovsky

Actually, I was just to start a post about that. To me, it's working weird. I have 1.2.3-RC3 built on Mon Sep 14 23:09:32 UTC 2009 FreeBSD 7.2-RELEASE-p3 i386. Using snort-dev. Snort 2.8.4.1_1 pkg v. 1.6 Beta. here are my alerts:

[ ** ] [ 122:3:0 ] (portscan) TCP Portsweep [ ** ]  
[ Priority: 3 ]  
09/18-19:01:19.050424 85.241.62.54 -> 4.79.142.202
PROTO:255 TTL:0 TOS:0x0 ID:65441 IpLen:20 DgmLen:159 DF

[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
[ Priority: 3 ]  
09/18-19:08:12.845122 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:33868 IpLen:20 DgmLen:164

[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
[ Priority: 3 ]  
09/18-19:16:28.527528 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:26177 IpLen:20 DgmLen:164

My ip is 85.241.62.54. I'm using pppoe on wan interface. I keep being blocked. bug maybe?

Hugovsky

rc2 just got out… ;)

jamesdean

@Hugovsky:

Actually, I was just to start a post about that. To me, it's working weird. I have 1.2.3-RC3 built on Mon Sep 14 23:09:32 UTC 2009 FreeBSD 7.2-RELEASE-p3 i386. Using snort-dev. Snort 2.8.4.1_1 pkg v. 1.6 Beta. here are my alerts:

[ ** ] [ 122:3:0 ] (portscan) TCP Portsweep [ ** ]  
[ Priority: 3 ]  
09/18-19:01:19.050424 85.241.62.54 -> 4.79.142.202
PROTO:255 TTL:0 TOS:0x0 ID:65441 IpLen:20 DgmLen:159 DF

[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
[ Priority: 3 ]  
09/18-19:08:12.845122 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:33868 IpLen:20 DgmLen:164

[ ** ] [ 122:23:0 ] (portscan) UDP Filtered Portsweep [ ** ]  
[ Priority: 3 ]  
09/18-19:16:28.527528 85.241.62.54 -> 212.55.154.190
PROTO:255 TTL:0 TOS:0x0 ID:26177 IpLen:20 DgmLen:164

My ip is 85.241.62.54. I'm using pppoe on wan interface. I keep being blocked. bug maybe?

Hugovsky

Your ip should be white listed automatically. Send me a PM with the out put of this.

cat  "/var/db/whitelist"

James

jamesdean

@Hostmaster:

Hello,

I have tried out the snort-dev on a pfsense 1.2.2 RC1 and noticed that the snort is still only blocking source IP addresses that pops up in the alert log. When will there be a fix for this?

// BlackWand

Its on my TODO list, I have to code custom C++ code into the source code of snort.

Be patient

James

Hugovsky

Seems to be working just fine in RC2. I'll update as soon as news show up.

Hostmaster

jamesdean, ok. Good to know its at least on the TODO-list.  ;D