Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Blocked Host

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jdeloach
      last edited by

      Does Snort Block Hosts work?

      In Snort Interfaces, Alert settings, I have "Block offenders" checked.  Since I'm still learning my way around PfSense and it's packages, is there some other place that I need to enable something so Snort will block offenders or at least list them under the Block tab?

      I have several entries in Alerts but Blocked is always empty.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @jdeloach:

        Does Snort Block Hosts work?

        In Snort Interfaces, Alert settings, I have "Block offenders" checked.  Since I'm still learning my way around PfSense and it's packages, is there some other place that I need to enable something so Snort will block offenders or at least list them under the Block tab?

        I have several entries in Alerts but Blocked is always empty.

        Couple of things to check.  First, examine the IP addresses of the entries on the Alerts tab and see if they are part of any whitelist.  Snort automatically whitelists any locally-attached IP networks and the WAN interface IP and far-end gateway.  Second, it could be that the hosts are blocked but the "clearing the block table" issue discussed here frequently is removing them before you see them.  This refers to an issue that cropped up in the 2.1 release of pfSense where any thing that causes a reload of the firewall filter clears the Snort block table.  However, as has also been written about here on the Forum many times; clearing the block list is not a huge deal because the offending host will be "re-blocked" when more traffic is observed by Snort.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.