Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort blocks IP despite disabled rule!

    pfSense Packages
    3
    5
    1791
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Supermule Banned last edited by

      I have disabled some PDF rules but Snort keeps blocking them!



      1 Reply Last reply Reply Quote 0
      • ?
        A Former User last edited by

        I'm guessing you forgot to restart the interface.
        Go to Services>snort, click on the red X box (where it says enabled). Wait for it to turn green. Wait a few more seconds. Click the green box and wait for it to turn red. Go into blocked hosts and remove the blocked hosts. Done.

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned last edited by

          I restarted it several times…

          Thats why I found it very odd!

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @Supermule:

            I have disabled some PDF rules but Snort keeps blocking them!

            Supermule:

            Are you seeing this behavior with the new experimental Snort code I sent you via e-mail a week ago, or is this with the stock 2.5.7 package?  I am not home now where I can check, but I do remember uncovering a problem in the SID enable/disable code a while back and fixing it.  I just can't remember off the top of my head if I fixed it with the 2.5.7 release, or if it is included in the experimental 2.5.8 release I sent you to test.

            To see if the rule is actually disabled, login to the firewall console via PuTTY or directly, and navigate to the sub-directory containing the rules for the affected interface.  Run "grep SID snort.rules" where you replace SID with the actual Signature ID of the rule you are checking.  It should come back with a "#" in front of the rule text if it is disabled.  No "#" means not disabled.

            Bill

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned last edited by

              2.5.7.

              I havent had the time to load the 2.5.8 yet since I am fooking busy at work!

              Get back to you soon Bill when I get to do that. But problems are on 2.5.7!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post