Snort does not block traffic

  • Hi there,
    First off all, I am new to Snort ;-)
    I am trying to block spam messages to my mail server using snort. I wrote a rule which identifies the spammer:
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"hiringgovnl spam"; flow:to_server, established; classtype:policy-violation;
    sid:5000002; rev:1; content:""; nocase; offset:12;)
    When I restart Snort It starts putting these alerts in the allerts tab, It also puts the IP addresses in the blocked tab. But when I check my mail server I see all the mails coming in.
    Why is it not blocking the traffic?
    And which local.rules file should I update? (I now update /usr/local/etc/snort/rules/snort_local.rules and the /usr/local/etc/snort/snort_3323/rules/snort_local.rules)


  • OK,
    I reinstalled snort without success. Still says it blocked some IP's but it really didn't. Should these blocks also be in the firewall logs if it was working?



  • OK,
    I found out I had to enable all preprocessors. After that it start working.

  • A man who seeks wisdom is able to find it for himself. Even suffering for a few days.

  • Make that a few weeks  :-\ ;)

Log in to reply