Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort adds hosts to blocklist but not blocking traffic

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DmitriyTitov
      last edited by

      Hello!
      I'm new to pfSense and snort and I got a task to block P2P traffic.
      I've installed snort package, downloaded rules and enabled snort-p2p and emerging-p2p rules. I've enabled snort on LAN interface and checked "Block Offenders" and left block "Both" IP addresses. Also I've disabled all "Decoder" and "Preprocessor" rules because I've had IMAP related alerts and don't want to block hosts based on these rules.
      I've started uTorrent BitTorrent client on my workstation and I nstantly had a lot of records at "Alerts" and "Blocked" tab,  but I see that my uTorrent still downloads traffic from the peer that is added to blocked!

      So I have visualy working instant of snort, but it doesn't actualy block traffic. Where to search for answer?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Did you restart snort?

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @DmitriyTitov:

          Hello!
          I'm new to pfSense and snort and I got a task to block P2P traffic.
          I've installed snort package, downloaded rules and enabled snort-p2p and emerging-p2p rules. I've enabled snort on LAN interface and checked "Block Offenders" and left block "Both" IP addresses. Also I've disabled all "Decoder" and "Preprocessor" rules because I've had IMAP related alerts and don't want to block hosts based on these rules.
          I've started uTorrent BitTorrent client on my workstation and I nstantly had a lot of records at "Alerts" and "Blocked" tab,  but I see that my uTorrent still downloads traffic from the peer that is added to blocked!

          So I have visualy working instant of snort, but it doesn't actualy block traffic. Where to search for answer?

          Thanks in advance!

          Another thing to consider, the automatic "default" whitelist for Snort includes all locally attached networks.  This means, for instance, that your LAN IP addresses will not get blocked even when they generate an alert.  Now if they go out to an external host, that external host should get blocked.  To ensure this happens, though, you must click the KILL STATE checkbox on the Interface Settings tab for the interface running Snort.  Otherwise the initial packet will establish "state" for the connection and all further traffic for that session bypasses the firewall.  So even though Snort might insert a block, if an entry for the session is in the state table, traffic will continue to flow around the block via the open state table entry.  Killing state when inserting a block is how Snort can get around this.  But killing state is a manual choice of the user.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.