Snort broken: remove blocked hosts every 1 hour



  • here is my setup:
    2.0.2-RELEASE (amd64)
    Snort 2.9.2.3 pkg v. 2.5.4

    I have snort setup to remove blocked hosts every 1 hour, however this does not work.
    I have hosts that have been blocked for days.

    Does anyone else have this bug?



  • yes it is broken for me also ….. I just have a script to clean it regularly



  • Is there a centralized bug tracker for this snort package?



  • The "remove blocked hosts" setting works for me and always has.  The only difference is I am currently running the 32-bit install of 2.0.2 instead of the 64-bit.  I would not expect that to be a problem, but who knows.  All the GUI does is register a cron job to do this.

    If you have not already, try completely and totally uninstalling and removing Snort.  Click the "X" on the Installed Packages tab.  When that completes, go to the Available Packages tab and re-install it.  Using just the "re-install icon" on the Installed Packages tab leads to unpredictable results.  Don't know why, but it does.  Many others have had weird errors and problems fixed by simply following these steps.

    You can report bugs at http://redmine.pfsense.org.

    Bill



  • This may also be related to the crontab entry …
    Install crontab package and have a look at it



  • I have tried this uninstall method multiple times, it does not fix it.
    I have the same problem on 2 different machines.
    The whitelisted IPs are for ipsec endpoints.
    Both machines are pretty standard setups, x64 with a single WAN and single LAN port, no VLANs.



  • @RonpfS:

    This may also be related to the crontab entry …
    Install crontab package and have a look at it

    OK, I have just installed Cron 0.1.7
    What should I do next?



  • Make the Cron entries for Snort match whats pictured below.




  • Excellent!  Thank you, I changed

    
    /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 604800 snort2c 
    
    

    to

    
    /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c 
    
    


  • That was good to block a host for 7 days.  The setting in Snort @ Global Settings never updates this to the actual requested time setting.  You should be good now for blocked hosts to be removed after one hour.  Just be sure to stop the Snort service, delete any current blocked hosts, and then restart Snort.


Log in to reply