Snort enabled cuases strange Firewall log



  • Hi,

    i recently upgraded to a more powerful box for pfsense so i can run something like snort etc. i installed snort and configured it. So far so good i'm satisfied with snort itself for the moment but after i looked in the Firewall Log i noticed there are some strange "Blocks" for traffic from LAN->WAN even with the any-any rule for LAN.

    They look like this:

    
     block	Jun 17 02:30:22	WAN	192.168.1.20:1061	239.255.255.250:8082	UDP
     block	Jun 17 02:30:21	WAN	192.168.1.21:1055	239.255.255.250:8082	UDP
     block	Jun 17 02:30:19	WAN	192.168.1.20:1061	239.255.255.250:8082	UDP
     block	Jun 17 02:30:18	WAN	192.168.1.21:1055	239.255.255.250:8082	UDP
     block	Jun 17 02:30:16	WAN	192.168.1.20:1061	239.255.255.250:8082	UDP
     block	Jun 17 02:30:15	WAN	192.168.1.21:1055	239.255.255.250:8082	UDP
     block	Jun 17 02:30:13	WAN	fe80::c225:6ff:fe25:d01f:52971	ff02::c:1900	UDP
    

    and:

    
     block	Jun 17 02:33:11	LAN	192.168.0.100:57634	15.240.60.112:443	TCP:FPA
     block	Jun 17 02:33:10	LAN	192.168.0.100:43832	15.201.224.79:443	TCP:FPA
    

    Yes i read:
    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    but the fact is, they only show up if snort is enabled. If snort is disabled this logs don't show up at all. They show up even with only IPS set ti Connectivity and nothing else selected. Should i be worried or just ignore it ? as far as i can tell everything is working fine beside that.

    Any suggestions ?

    -T5000



  • Does clicking the red X for the block give you an error message that's informative? What rule does it say is causing the blocks?

    Do you need to know what the events are or have you already figured that part out?


  • Moderator

    Hi T5000,

    Do you have these enabled in the Status:System Logs:Settings?

    Log Firewall Default Blocks

    Log packets blocked by the default rule
    Log packets blocked by 'Block Bogon Networks' rules
    Log packets blocked by 'Block Private Networks' rules

    The first set of blocks are Multicasts and the second one seems to be HP (revproxy-pro-site1eprint.houston.hp.com)

    Does Snort have any Alerts around these time frames to help correlate these two together?


  • Moderator

    Disable logging for the block private networks rule (in the system logs settings)

    https://forum.pfsense.org/index.php?topic=70753.0



  • As mentioned in the linked thread by BBcan177, Snort puts any interface it runs on in promiscuous mode.  This means the interface sees all traffic on the segment/port it is connected to and not just traffic aimed at its MAC address.  If you don't want to see the traffic, you can either add an explicit "block but don't log" rule for it, or you can take the approach mentioned in the thread linked by BBcan177.

    Bill



  • @fearnothing:

    Does clicking the red X for the block give you an error message that's informative? What rule does it say is causing the blocks?

    Do you need to know what the events are or have you already figured that part out?

    Not really, it just says: @5 block drop in log inet all label "Default deny rule IPv4". The service works correct though but i find it odd that this blocks show up only with snort enabled. Isn't the default block rule active anyway ?.

    @BBcan177:

    Hi T5000,

    Do you have these enabled in the Status:System Logs:Settings?

    Log Firewall Default Blocks

    Log packets blocked by the default rule
    Log packets blocked by 'Block Bogon Networks' rules
    Log packets blocked by 'Block Private Networks' rules

    The first set of blocks are Multicasts and the second one seems to be HP (revproxy-pro-site1eprint.houston.hp.com)

    Does Snort have any Alerts around these time frames to help correlate these two together?

    Not really, the only thing that shows up in snort is: ET MALWARE Alexa Spyware Reporting. And yes i have enabled these settings. I already figured it out that the blocks will not be logged without them but so does it without snort enabled.

    So as i said i was just curios if this has something to do with snort because as i mentioned, without snort enabled they won't show in the Firewall log. I was just worried that snort does something strange in the background and messed up my network connections. They work correct i think, didn't see anything that don't work as before.



  • Well looking at it logically,

    • the default in pfSense is to deny all
    • you do not have logging for this default turned on when snort is not present
    • when snort is on, this rule starts logging

    My guess is that snort enables logging for this rule as part of its base configuration.



  • @fearnothing:

    Well looking at it logically,

    • the default in pfSense is to deny all
    • you do not have logging for this default turned on when snort is not present
    • when snort is on, this rule starts logging

    My guess is that snort enables logging for this rule as part of its base configuration.

    Nope, Snort does not touch the firewall rules at all.  All it does is put the interface in promiscuous mode.  I promise it does not touch any firewall rules or pfSense logging options.

    Bill


Log in to reply