Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort blocks IP's regardless of the blocking settings

    pfSense Packages
    4
    6
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Pfsense 2.0.1
      Snort Stable 2.9.4.6 pkg v. 2.5.9 platform: 2.0
      HAVP antivirus 0.91_1 pkg v1.0
      Lightsquid 1.8.0 pkg v.2.32
      squid 2.7.9 pkg v.4.3.1

      Hi folks,

      i tested snort the first time on our pfsense appliance. The first day everything locks good. On the second day i tried the automatic blocking feature.
      After 30min i disable blocking. The big problem is that snort keeping on blocking different ip's regardless of the block settings.
      Restarting snort, snort-interface stop/disable or deletion wasn't successful. The only way was the uninstallation of the snort package.

      How can i keeping on analysing this behaviour?

      regards

      Andi

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @andib:

        Pfsense 2.0.1
        Snort Stable 2.9.4.6 pkg v. 2.5.9 platform: 2.0
        HAVP antivirus 0.91_1 pkg v1.0
        Lightsquid 1.8.0 pkg v.2.32
        squid 2.7.9 pkg v.4.3.1

        Hi folks,

        i tested snort the first time on our pfsense appliance. The first day everything locks good. On the second day i tried the automatic blocking feature.
        After 30min i disable blocking. The big problem is that snort keeping on blocking different ip's regardless of the block settings.
        Restarting snort, snort-interface stop/disable or deletion wasn't successful. The only way was the uninstallation of the snort package.

        How can i keeping on analysing this behaviour?

        regards

        Andi

        For starters, read this thread (especially the posts a bit farther down about creating Suppress List entries for some http_inspect preprocessor rules).

        http://forum.pfsense.org/index.php/topic,61018.0.html

        Snort is not an "install and forget" package.  It requires specific tuning to your environment to weed out false positives.  The information in the linked thread can get you started on tuning for system.

        Bill

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Hi Bill,

          thanks for your answer. I read this article befor installing snort. Any idea before i run my next snort test?

          Could an pfsense upgrade to 2.1 give me some improvements in conjunction with snort?

          Bye

          Andi

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            I would start by upgrading to 2.0.3 to see if the issue is still there.

            If it dissapears then you can upgrade to 2.1

            1 Reply Last reply Reply Quote 0
            • F
              fragged
              last edited by

              2.0.3 is the minimum supported version for the current Snort package from what I've gathered from bmeek's posts.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @fragged:

                2.0.3 is the minimum supported version for the current Snort package from what I've gathered from bmeek's posts.

                Yes, fragged is correct about the pfSense version.  Sorry I did not notice your pfSense version in your original post.  Upgrade to at least 2.0.3, and 2.1-RELEASE is even better.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.