Snort fails to blocks any ip's that were cleared from the list.



  • I can reproduce this right after a fresh install or re-install of snort…

    I noticed I have many alerts on the same IP. Indicating it's not actually blocking anymore, just alerts.

    To reproduce, just go to shields-up (and get it to do a portscan). Assuming you enabled port scan detection. You will see it immediately blocks the site.
    With an alert and a block ip entry.

    But if the block list is cleared. and you do the same. It will appear to create the block entry. But it will not actually block the site anymore.

    The same happens if you let snort clear it's own ip's after a specified time.

    I got desperate and tried to just press the download list from the alerts page so I could manually enter these ip's into my blacklist but it fails to create a list. So even that is busted.

    Currently as far as I see Snort will work for a day discovering new ip's to block. Then eventually will let them pass as the list is cleared. Very frustrating...



  • @kevin067:

    I can reproduce this right after a fresh install or re-install of snort…

    I noticed I have many alerts on the same IP. Indicating it's not actually blocking anymore, just alerts.

    To reproduce, just go to shields-up (and get it to do a portscan). Assuming you enabled port scan detection. You will see it immediately blocks the site.
    With an alert and a block ip entry.

    But if the block list is cleared. and you do the same. It will appear to create the block entry. But it will not actually block the site anymore.

    The same happens if you let snort clear it's own ip's after a specified time.

    I got desperate and tried to just press the download list from the alerts page so I could manually enter these ip's into my blacklist but it fails to create a list. So even that is busted.

    Currently as far as I see Snort will work for a day discovering new ip's to block. Then eventually will let them pass as the list is cleared. Very frustrating...

    What version of pfSense are you running?  I assume since you say you can reproduce after a fresh install that you are using the Snort 2.9.4.6 v2.6.0 package.

    When "clearing the block list", what exactly are you doing in the GUI?

    Bill



  • I am running pfsense 2.1 (x86) and snort 2.9.4.6 pkg v. 2.6.0

    I have many times started from a fresh install. And have deleted and re-installed snort without the setting being kept between installs.

    I simply go to the "blocked" tab and hit "clear" (the block list)

    Any way to view the internal blocks created by snort?

    Also the "download" (the blocks) button doesn't do anything, which would have allowed me to enter this list into a black list myself.



  • @kevin067:

    Any way to view the internal blocks created by snort?

    Also the "download" (the blocks) button doesn't do anything, which would have allowed me to enter this list into a black list myself.

    Snort inserts its blocks into the pf Table "snort2c".  You can view it under Diagnostics…Tables from the pfSense menu.  This is the table that the filter_reload() process is clearing as I mentioned in some other threads.  The BLOCKED tab in Snort actually just reads the contents of this table and displays it.

    The download button on the BLOCKED (and ALERTS) tab has been broken for quite a while and I did not realize it.  It is fixed in the Snort package update currently awaiting approval from the pfSense Core Team.  That package version will be 2.6.1 when they approve and merge it.

    Bill



  • Thanks,
    On next release, can you have snort spew a log entry indicating that it has cleared the block list? Then it will be possible to know when in the log it is cleared.

    So for diagnostic purposes, what order does snort start analyzing the traffic? Before all the custom rules? or after? If before. Wouldn't it more efficient to let snort analyze the traffic after all block lists have been processed? It seems I see alerts from entries I have blocked manually. And analyzing already blocked ip's seems a waste. It also wouldn't be a bad idea to insert "blocked" ip's into the firewall logs (just like the custom rules can). Maybe just a checkbox in the settings tab that says "log blocked entries"

    Thanks,
    Kevin



  • @kevin067:

    Thanks,
    On next release, can you have snort spew a log entry indicating that it has cleared the block list? Then it will be possible to know when in the log it is cleared.

    So for diagnostic purposes, what order does snort start analyzing the traffic? Before all the custom rules? or after? If before. Wouldn't it more efficient to let snort analyze the traffic after all block lists have been processed? It seems I see alerts from entries I have blocked manually. And analyzing already blocked ip's seems a waste. It also wouldn't be a bad idea to insert "blocked" ip's into the firewall logs (just like the custom rules can). Maybe just a checkbox in the settings tab that says "log blocked entries"

    Thanks,
    Kevin

    The Snort GUI does not know when the blocks are cleared.    Remember the GUI is only running while you are interacting with it via the menus, and that GUI is not even really Snort.  Snort itself is a completely separate autonomous binary.  The GUI is just a front-end to create the snort.conf file for that binary.  Also, the clearing of the block table is done by a FreeBSD utility called "expiretable" that is run via a crontab job.

    That's a long-winded explanation that translates to -  "some of what you suggest can't be done in the package".. :D

    As for the order of packet processing in pfSense and FreeBSD, I must profess ignorance for now.  I have not researched into that.  I was not the original creator of the Snort package on pfSense.  I just added some updates starting in January of this year, so I'm far from an expert on how it works (the binary, that is) on pfSense.

    Bill


Log in to reply