Snort adds hosts to blocklist but not blocking traffic



  • Hello!
    I'm new to pfSense and snort and I got a task to block P2P traffic.
    I've installed snort package, downloaded rules and enabled snort-p2p and emerging-p2p rules. I've enabled snort on LAN interface and checked "Block Offenders" and left block "Both" IP addresses. Also I've disabled all "Decoder" and "Preprocessor" rules because I've had IMAP related alerts and don't want to block hosts based on these rules.
    I've started uTorrent BitTorrent client on my workstation and I nstantly had a lot of records at "Alerts" and "Blocked" tab,  but I see that my uTorrent still downloads traffic from the peer that is added to blocked!

    So I have visualy working instant of snort, but it doesn't actualy block traffic. Where to search for answer?

    Thanks in advance!


  • Banned

    Did you restart snort?



  • @DmitriyTitov:

    Hello!
    I'm new to pfSense and snort and I got a task to block P2P traffic.
    I've installed snort package, downloaded rules and enabled snort-p2p and emerging-p2p rules. I've enabled snort on LAN interface and checked "Block Offenders" and left block "Both" IP addresses. Also I've disabled all "Decoder" and "Preprocessor" rules because I've had IMAP related alerts and don't want to block hosts based on these rules.
    I've started uTorrent BitTorrent client on my workstation and I nstantly had a lot of records at "Alerts" and "Blocked" tab,  but I see that my uTorrent still downloads traffic from the peer that is added to blocked!

    So I have visualy working instant of snort, but it doesn't actualy block traffic. Where to search for answer?

    Thanks in advance!

    Another thing to consider, the automatic "default" whitelist for Snort includes all locally attached networks.  This means, for instance, that your LAN IP addresses will not get blocked even when they generate an alert.  Now if they go out to an external host, that external host should get blocked.  To ensure this happens, though, you must click the KILL STATE checkbox on the Interface Settings tab for the interface running Snort.  Otherwise the initial packet will establish "state" for the connection and all further traffic for that session bypasses the firewall.  So even though Snort might insert a block, if an entry for the session is in the state table, traffic will continue to flow around the block via the open state table entry.  Killing state when inserting a block is how Snort can get around this.  But killing state is a manual choice of the user.

    Bill


Log in to reply