Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort is not blocking

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomtomtom6600
      last edited by

      Hi guys,

      I use snort with pfsense all in the last version. A typical constellation LAN -> WAN is open and traffic is nated. WAN -> LAN all is denied.
      Now I installed snort on the lan interface to see wich IP is causing a problem and I see several events for example several downloads from an exe file with SID 1:2000419.
      The blocked IP's are on the blocklist. But the download works. And works again once more. This problem is not only an issue with download. Many other event have a similar behavior.
      My snort is in blocking mode. An is blockin both directions.
      Please help.

      Thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @tomtomtom6600:

        Hi guys,

        I use snort with pfsense all in the last version. A typical constellation LAN -> WAN is open and traffic is nated. WAN -> LAN all is denied.
        Now I installed snort on the lan interface to see wich IP is causing a problem and I see several events for example several downloads from an exe file with SID 1:2000419.
        The blocked IP's are on the blocklist. But the download works. And works again once more. This problem is not only an issue with download. Many other event have a similar behavior.
        My snort is in blocking mode. An is blockin both directions.
        Please help.

        Thanks

        Is the box for "Kill State" checked on the INTERFACE tab for Snort?

        Bill

        1 Reply Last reply Reply Quote 0
        • T
          tomtomtom6600
          last edited by

          hi bmeeks,

          yes it is. the "kill state" is checked. But it is the same behavior, when the state is not checked.

          My second problem is that I am not able to activate the ruleset "Snort Text Rules" and the ruleset "Snort SO Rules".They are both deactivated. Why this?

          Thanks in advance
          tomtomtom

          screenshot_09.png
          screenshot_09.png_thumb
          screenshot_10.png
          screenshot_10.png_thumb
          screenshot_11.png
          screenshot_11.png_thumb

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @tomtomtom6600:

            hi bmeeks,

            yes it is. the "kill state" is checked. But it is the same behavior, when the state is not checked.

            My second problem is that I am not able to activate the ruleset "Snort Text Rules" and the ruleset "Snort SO Rules".They are both deactivated. Why this?

            Thanks in advance
            tomtomtom

            When you enable the IPS Policy checkbox and choose an IPS Policy, that overrides any customized selections so the Snort VRT text rule and SO rule checkboxes are disabled.  When you choose a policy, the Snort VRT rule authors have, in effect, chosen and enabled the rules for you.

            I am at a loss to explain your first problem.  I think that blocking works for pretty much everyone, or else there would be a large number of posts here about the problem.  Just to be sure something is not corrupted in the binary installation, click the option on the GLOBAL SETTINGS tab to retain Snort settings when deinstalling the package.  Then go to System…Packages and click the X icon to remove Snort.  Return to System…Packages and install Snort again.

            Bill

            1 Reply Last reply Reply Quote 0
            • T
              tomtomtom6600
              last edited by

              hi bmeeks,

              thanks for explaining my second problem. This is clear now.
              Back to my first problem. I will do what you have mentionend, but is it possible that my problem has something to do with squid running in transparend mode. Is it possible that those downloads are cached

              thanks

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @tomtomtom6600:

                hi bmeeks,

                thanks for explaining my second problem. This is clear now.
                Back to my first problem. I will do what you have mentionend, but is it possible that my problem has something to do with squid running in transparend mode. Is it possible that those downloads are cached

                thanks

                Ah!  Yes, caching is a possibility.  If you mentioned it before, I missed you saying anything about squid running.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.