Troubleshooting Snort not blocking



  • Running Pfsense 1.2.3
    Snort 2.8.4.1_5 pkg v. 1.6
    Snort set to Interface:WAN
    Activated: Block offenders
    Activated: p2p.rules

    I get lots of p2p (bittorrent) Alerts, but nothing is blocked.
    How do i troubleshoot this?
    i would like to block lan adresses for an hour if an alert is happening.

    JClausen



  • Are the offending IPs on your whitelist ?

    James



  • I have no hosts on the whitelist.

    In the meantime i updated snort to 2.8.4.1_7 pkg v. 1.8
    now i don't get alerts anymore, even if i try to make a bittorrent transfer.

    Global settings:
    Basic Rule + oink code
    Remove blocked hosts every 1 hour
    Associate events on blocked tab

    Rules updated

    Snort Inertfaces (interfaces)
    wan, snort enabled, performance ac-bnfa, block enabled, Barnyard2 Disabled

    Categories: p2p.rules enabled

    Save and start
    Services shows snort is running.

    btw: When on the snort page and press the PFSense logo to get back to mainscreen, page is linked to /snort/index.php



  • Please enable all the Preprocessors in the interface tab and restart the snort interface.

    Good catch. "press the PFSense logo"

    James

    @jclausen:

    I have no hosts on the whitelist.

    In the meantime i updated snort to 2.8.4.1_7 pkg v. 1.8
    now i don't get alerts anymore, even if i try to make a bittorrent transfer.

    Global settings:
    Basic Rule + oink code
    Remove blocked hosts every 1 hour
    Associate events on blocked tab

    Rules updated

    Snort Inertfaces (interfaces)
    wan, snort enabled, performance ac-bnfa, block enabled, Barnyard2 Disabled

    Categories: p2p.rules enabled

    Save and start
    Services shows snort is running.

    btw: When on the snort page and press the PFSense logo to get back to mainscreen, page is linked to /snort/index.php



  • I have now enabled all the Preprocessors, but had to reboot to get snort starting again!
    Testing when i get get back to work in eight hours.

    Jesper



  • I'm confused.
    With snort enabled on WAN interface, i get lots of alerts, but no hosts is blocked.
    Changed to LAN interface, lots of internal clients is blocked but no alerts.
    on the blocked page all alert descriptions is "n/a"

    Jesper

    update:

    Now alerts and blocking works, but how do i suppress alerts like:

    [ 119:1:1 ] (http_inspect) ASCII ENCODING
    [ 119:14:1 ] (http_inspect) NON-RFC DEFINED CHAR
    [ 119:2:1 ] (http_inspect) DOUBLE DECODING ATTACK

    from blocking hosts? -  still only p2p.rule is active!



  • Jesper

    You going to have to be patiant. I am still coding the blocked host tab.
    With my new code you can filter alerts by source ip, destination ip, ports, alerts and type of trafic.

    You have to use the threshold.conf in your interface directory to suppress http_inspect alerts. Search the forums on howto.

    Moreover, http_inspect alerts are preprocessors.

    James

    @jclausen:

    I'm confused.
    With snort enabled on WAN interface, i get lots of alerts, but no hosts is blocked.
    Changed to LAN interface, lots of internal clients is blocked but no alerts.
    on the blocked page all alert descriptions is "n/a"

    Jesper

    update:

    Now alerts and blocking works, but how do i suppress alerts like:

    [ 119:1:1 ] (http_inspect) ASCII ENCODING
    [ 119:14:1 ] (http_inspect) NON-RFC DEFINED CHAR
    [ 119:2:1 ] (http_inspect) DOUBLE DECODING ATTACK

    from blocking hosts? -  still only p2p.rule is active!



  • ok, i'm patient (a little)  ;)

    I found out how to suppress http_inspect alerts, thanks for the tip.

    Saw your mentioned Vlan isolation….. wauu, hopefully some day :-)

    Keep up the good work James.

    Jesper



  • I had a bad day, I needed those kind words.

    James


Log in to reply