Snort blocking



  • Hi
    I want to know how pfsense snort package block attacking hosts. Is there a plugin like snortsam in snort package?



  • This is already built into the snort package, open the interface settings in snort and tick 'Block Offenders'
    You can also select if you want to block src/dst or both & if you want to kill firewall states for the blocked IP.

    EDIT:
    In the snort global settings there is also the option to set how often you want to remove blocks (E.g. 1hour, 1day, 28days, never, etc)



  • @Amirkabir:

    Hi
    I want to know how pfsense snort package block attacking hosts. Is there a plugin like snortsam in snort package?

    Snort on pfSense makes use of an old third-party open-source plugin called Spoink.  This is compiled into the Snort binary on pfSense as an output plugin.  It sees all of the alerts and examines the IP addresses and compares them to an internal whitelist table.  Any IP address not matching up with a whitelist entry is then "blocked".  This blocking is done by calling the BSD pf (packet filter) API to insert the offending IP address into a block table called snort2c.  Currently snortsam is not used.

    Bill