Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort still clearing blocked ip's even though it is set to "never"

    pfSense Packages
    2
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevin067
      last edited by

      I have the latest pfsense and snort package. But if I let snort sit for awhile I find the block list has been cleared even though I have set it to never clear it.  I see nothing in the logs indicating it was cleared. And doesn't seem to be on any time interval I can deduce.

      The only thing that corresponds to the clearing of the list are these entries in the log.

      Oct 22 06:59:00 check_reload_status: Reloading filter
      Oct 22 06:59:00 php: rc.newwanip: rc.newwanip: on (IP address: 192.168.0.1) (interface: lan) (real interface: ue0).
      Oct 22 06:59:00 php: rc.newwanip: rc.newwanip: Informational is starting ue0.
      Oct 22 06:58:57 check_reload_status: rc.newwanip starting ue0
      Oct 22 06:58:57 php: rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.0.1 )
      Oct 22 06:58:57 php: rc.linkup: Hotplug event detected for LAN(lan) but ignoring since interface is configured with static IP (192.168.0.1 )
      Oct 22 06:58:55 check_reload_status: Linkup starting ue0
      Oct 22 06:58:55 kernel: ue0: link state changed to UP
      Oct 22 06:58:55 kernel: ue0: link state changed to DOWN
      Oct 22 06:58:55 check_reload_status: Linkup starting ue0
      Oct 22 06:53:55 check_reload_status: Reloading filter
      Oct 22 06:53:55 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Oct 22 06:53:55 check_reload_status: Restarting ipsec tunnels
      Oct 22 06:53:55 check_reload_status: updating dyndns WAN_DHCP
      Oct 22 06:53:00 check_reload_status: Reloading filter
      Oct 22 06:53:00 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Oct 22 06:53:00 check_reload_status: Restarting ipsec tunnels
      Oct 22 06:53:00 check_reload_status: updating dyndns WAN_DHCP

      This happens once or twice a day, I have no idea if this is a hacker rebooting pfsense. Or this is normal.

      But if it is normal then it ends up clearing the snort block list.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        There are several threads on the Forum about this (Snort clearing the block list).  I wish I could collect a dollar for each one.. ;)

        The problem is not with Snort.  The issue got introduced in the 2.1 pfSense code base.  Anything that caused the filter_reload() process to execute results in all the pf (packet filter) tables getting cleared.  Snort uses a pf table called "snort2c" to enter its blocks into.  Any number of things appear to kick off the filter reload process.  Some of them are a change in the WAN IP (or just a DHCP renewal cycle if your WAN is DHCP-based), any edits to Aliases, any edits to the firewall rules themselves; and there are several other reasons.  Any one or more of these could be causing the process to run for you.  In the past it seemed to leave Snort's table alone.  That is no longer the case.

        One of the pfSense Core Team has told me he will look at fixing it soon, but a hotfix release of pfSense would be required.  That's probably not going to happen anytime too soon.

        I will repeat it one more time, there is really no security issue with the block table getting cleared early.  On the very next offending packet from a rogue host, Snort will dutifully block the IP again by putting the IP address in the "snort2c" block table.

        Bill

        1 Reply Last reply Reply Quote 0
        • K
          kevin067
          last edited by

          Well whether the problem I had was real or not. I happened to try out binding to the Lan (instead of wan) for my snort interface. And I had the results I expected with blocked ip's staying blocked. I set it to "both" for direction. That seemed to fix it.

          Only problem is snort cannot perform a portscan from this side of the network (lan). So I created two with this one on wan as a  rule-less snort interface (with portscan enabled). Which seemed to work. But annoying to see it warn me about no rules on the interface. And I probably have redundant preprocessing now.

          So not sure why I had the problem originally, but there is a solution in case anybody has had problems.

          Hopefully one day snort for pfsense will create the block list as a simple "Alias" table. Then snort2C wont be needed. And if Snort could be part of the rules chain order. (instead of first) Then the Whitelist inside of snort won't be needed either. Along with speeding it up since it will not process ip's destined to be blocked by the rule chain ahead of it. including ip's it has previously blocked.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.