• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort automatic blocking for specified rules only?

Scheduled Pinned Locked Moved pfSense Packages
5 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fearnothing
    last edited by Jun 26, 2014, 5:59 AM

    Is there a way to fine tune the automatic blocking? There are some things which I would like to receive alerts for but not block by default.

    1 Reply Last reply Reply Quote 0
    • B
      BBcan177 Moderator
      last edited by Jun 26, 2014, 6:10 AM

      You can use pass lists to not alert. You could disable a rule and add a custom rule to meet your needs. But you can't have a rule that just alerts as all the rules are designed to block unfortunately.

      What are you trying to do? There may be other solutions?

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • F
        fearnothing
        last edited by Jun 26, 2014, 6:57 AM

        Enable automatic blocking but not block the hosts that are triggering the TCP/UDP Filtered Port Scan events - it gets set off by IRC servers and some other communication apps I use.

        1 Reply Last reply Reply Quote 0
        • B
          BBcan177 Moderator
          last edited by Jun 26, 2014, 7:00 AM

          Take a look at the port scan Pre-processor. There are settings there to not alert on certain scanners and also has some other tuning settings.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • B
            bmeeks
            last edited by Jun 26, 2014, 6:45 PM

            @BBcan177:

            Take a look at the port scan Pre-processor. There are settings there to not alert on certain scanners and also has some other tuning settings.

            BBcan177 is correct.  There are a number of tunable parameters for the portscan preprocessor.  It's on the PREPROCESSORS tab for the interface.  One thing you can do is a create an Alias containing hosts that should never trigger a portscan alert.  That is the "Ignore Scanners" box.  Create the alias with those hosts under Firewall…Aliases, then come to the PREPROCESSORS tab and enter the alias name in the "Ignore Scanners" box.

            Bill

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received