Snort auto blocked some IPs
-
I am running 1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007 and I just noticed in the log files that it had blocked a couple of hosts. I have had plenty of alerts before and its never blocked the hosts. (I don't have the Block Offenders options checked, and never had).
Regards
Ben
-
Is snort2c running?
ps awux | grep snort2c from a console / shell.
-
Yes:-
root 58596 0.0 0.2 1292 940 ?? Is Sat09AM 0:00.16 /usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert
Regards
Ben
-
And you are sure the option is not enabled?
-
I have never enabled it, just checked and its not showing as enabled, the XML shows :-
<subscriber><blockoffenders><automaticrulesupdate>on</automaticrulesupdate>
So thats also looks like its not enabled.
Is it worth me reinstalling it maybe ?
Regards
Ben</blockoffenders></subscriber>
-
That doesn't make sense as we do not add it to the rc.d startup file unless its checked. Try clicking save again and see if /usr/local/etc/rc.d/snort.sh contains snort2c.
/* if block offenders is checked, start snort2c */ if($_POST['blockoffenders']) $start .= ";/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert"; -
No its not there now, and its no longer running.
So I have no idea why it was running, or It must have started during the reboot from the upgrade I guess.
I'll keep an eye on it and see if it starts again.
ben