Snort is not blocking



  • Hi guys,

    I use snort with pfsense all in the last version. A typical constellation LAN -> WAN is open and traffic is nated. WAN -> LAN all is denied.
    Now I installed snort on the lan interface to see wich IP is causing a problem and I see several events for example several downloads from an exe file with SID 1:2000419.
    The blocked IP's are on the blocklist. But the download works. And works again once more. This problem is not only an issue with download. Many other event have a similar behavior.
    My snort is in blocking mode. An is blockin both directions.
    Please help.

    Thanks



  • @tomtomtom6600:

    Hi guys,

    I use snort with pfsense all in the last version. A typical constellation LAN -> WAN is open and traffic is nated. WAN -> LAN all is denied.
    Now I installed snort on the lan interface to see wich IP is causing a problem and I see several events for example several downloads from an exe file with SID 1:2000419.
    The blocked IP's are on the blocklist. But the download works. And works again once more. This problem is not only an issue with download. Many other event have a similar behavior.
    My snort is in blocking mode. An is blockin both directions.
    Please help.

    Thanks

    Is the box for "Kill State" checked on the INTERFACE tab for Snort?

    Bill



  • hi bmeeks,

    yes it is. the "kill state" is checked. But it is the same behavior, when the state is not checked.

    My second problem is that I am not able to activate the ruleset "Snort Text Rules" and the ruleset "Snort SO Rules".They are both deactivated. Why this?

    Thanks in advance
    tomtomtom








  • @tomtomtom6600:

    hi bmeeks,

    yes it is. the "kill state" is checked. But it is the same behavior, when the state is not checked.

    My second problem is that I am not able to activate the ruleset "Snort Text Rules" and the ruleset "Snort SO Rules".They are both deactivated. Why this?

    Thanks in advance
    tomtomtom

    When you enable the IPS Policy checkbox and choose an IPS Policy, that overrides any customized selections so the Snort VRT text rule and SO rule checkboxes are disabled.  When you choose a policy, the Snort VRT rule authors have, in effect, chosen and enabled the rules for you.

    I am at a loss to explain your first problem.  I think that blocking works for pretty much everyone, or else there would be a large number of posts here about the problem.  Just to be sure something is not corrupted in the binary installation, click the option on the GLOBAL SETTINGS tab to retain Snort settings when deinstalling the package.  Then go to System…Packages and click the X icon to remove Snort.  Return to System…Packages and install Snort again.

    Bill



  • hi bmeeks,

    thanks for explaining my second problem. This is clear now.
    Back to my first problem. I will do what you have mentionend, but is it possible that my problem has something to do with squid running in transparend mode. Is it possible that those downloads are cached

    thanks



  • @tomtomtom6600:

    hi bmeeks,

    thanks for explaining my second problem. This is clear now.
    Back to my first problem. I will do what you have mentionend, but is it possible that my problem has something to do with squid running in transparend mode. Is it possible that those downloads are cached

    thanks

    Ah!  Yes, caching is a possibility.  If you mentioned it before, I missed you saying anything about squid running.

    Bill