Snort does not block traffic
First off all, I am new to Snort ;-)
I am trying to block spam messages to my mail server using snort. I wrote a rule which identifies the spammer:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"hiringgovnl spam"; flow:to_server, established; classtype:policy-violation;
sid:5000002; rev:1; content:"hiringgovnl.com"; nocase; offset:12;)
When I restart Snort It starts putting these alerts in the allerts tab, It also puts the IP addresses in the blocked tab. But when I check my mail server I see all the mails coming in.
Why is it not blocking the traffic?
And which local.rules file should I update? (I now update /usr/local/etc/snort/rules/snort_local.rules and the /usr/local/etc/snort/snort_3323/rules/snort_local.rules)
I reinstalled snort without success. Still says it blocked some IP's but it really didn't. Should these blocks also be in the firewall logs if it was working?
I found out I had to enable all preprocessors. After that it start working.
A man who seeks wisdom is able to find it for himself. Even suffering for a few days.
Make that a few weeks :-\ ;)