Snort auto blocked some IPs



  • I am running 1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007 and I just noticed in the log files that it had blocked a couple of hosts. I have had plenty of alerts before and its never blocked the hosts. (I don't have the Block Offenders options checked, and never had).

    Regards

    Ben



  • Is snort2c running?

    ps awux | grep snort2c from a console / shell.



  • Yes:-

    root    58596  0.0  0.2  1292  940  ??  Is  Sat09AM  0:00.16 /usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert

    Regards

    Ben



  • And you are sure the option is not enabled?



  • I have never enabled it, just checked and its not showing as enabled, the XML shows :-

    <subscriber><blockoffenders><automaticrulesupdate>on</automaticrulesupdate>

    So thats also looks like its not enabled.

    Is it worth me reinstalling it maybe ?

    Regards

    Ben</blockoffenders></subscriber>



  • That doesn't make sense as we do not add it to the rc.d startup file unless its checked.  Try clicking save again and see if /usr/local/etc/rc.d/snort.sh contains snort2c.

    
    	/* if block offenders is checked, start snort2c */
    	if($_POST['blockoffenders'])
    		$start .= ";/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert";
    
    


  • No its not there now, and its no longer running.

    So I have no idea why it was running, or It must have started during the reboot from the upgrade I guess.

    I'll keep an eye on it and see if it starts again.

    ben


Log in to reply