Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Alert list explanation

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 779 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      icoso
      last edited by icoso

      I am new to using Snort in a Netgate router with pfSense.

      In the Snort settings under alerts I am seeing notice like this:
      2025-09-08
      16:34:17 1 UDP Attempted User Privilege Gain 37.60.141.158
      47167 195.252.###.###
      9034 1:58853
      SERVER-OTHER RealTek UDPServer command injection attempt

      Does this mean that someone from 37.60.141.158 tried to login to my router or is trying to log in to my router? Does SNORT block this attempt? or How do I block this attempt? There is nothing showing up in my BLOCKED list.

      Will snort ONLY block these IP's if I have "Block Offenders" checked? If yes, should I use legacy mode or inline mode? My understanding is that if I use legacy mode all rules will be enabled and any alerts will be automatically blocked right? If I use inline mode, then NO rules will be automatically blocked and I would have to enable the action for that rule for it to be blocked, right?

      If I use inline mode, how do I enable a rule? Right now I just have a yellow triangle under the action for this rule.

      How do I know which rules is snort using? Under WAN Categories, If I choose balance, NONE of the rulesets (Categories) shown at the bottom are checked?

      Here is another alert that I m wondering about:
      2025-09-08
      08:38:21 3 Generic Protocol Command Decode 97.78.###.###
      24.172.###.###
      123:8
      (spp_frag3) Fragmentation overlap

      The source IP 97.78.###.### is my main office IP address and the Destination IP 24.172.###.### is my branch office. I'm not sure what this is and I definitely don't want this data being blocked by SNORT, so would this be a good reason to NOT use legacy mode in the Blocked Offenders section?

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @icoso
        last edited by

        @icoso first of all don’t block anything until you have your setup straight.

        If Snort is running on WAN then be aware since it runs outside the firewall it will scan packets the firewall will drop.

        Yes you’d need to enable blocking.

        I suggest legacy mode to start. It scans a copy of each packet. It’s much easier to get started and you don’t have to worry about driver issues.

        The rules you enable are up to you. For instance if you don’t host a web server the web server ruleset is kind of pointless.

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.