Rebooting pfsense router removes snort blocked hosts?
-
Hello,
I have just rebooted my new pfsense router for the first time after installing snort a couple of days ago. While I can see all the old alerts that were generated prior to reboot, when I check "blocked" tab no hosts were displayed (as if they've been cleared). Prior to reboot I had about 130 records there.
Is this normal behavior? When I reboot pfsense, I loose all the blocked hosts? If not normal, what could be the problem here? Any way to get the blocked hosts back from the alerts that were generated (which were actually saved after reboot)?
Thanks a lot!
Dmitri2.1.4-RELEASE (amd64)
built on Fri Jun 20 12:59:50 EDT 2014
FreeBSD 8.3-RELEASE-p16snort 2.9.6.0 pkg v3.0.13
-
Nevermind. I found my answer. Apparently this is normal behavior.
https://forum.pfsense.org/index.php?topic=66904.0
Thank you!
-
Hi dmitripr,
In Snorts Global Settings, you have the option to set:
Remove Blocked Hosts Interval
Which can be set to Never, which shouldn't clear the table. I haven't noticed that its cleared at reboot as I seldom reboot the pfSense Box.
-
Hi dmitripr,
In Snorts Global Settings, you have the option to set:
Remove Blocked Hosts Interval
Which can be set to Never, which shouldn't clear the table. I haven't noticed that its cleared at reboot as I seldom reboot the pfSense Box.
Yes, I saw that. I do have it set for never, but I don't think it affects the behavior after reboot. Based on the topic I link in my second message, looks like the blocked hosts are removed when filter is reset – which would happen at reboot. That's outside of Snort's control.
Thanks for the message, though!
-
… Based on the topic I link in my second message, looks like the blocked hosts are removed when filter is reset -- which would happen at reboot. That's outside of Snort's control.
Thanks for the message, though!
Correct. On a reboot all of the pf tables are cleared, including the <snor2c>table utilized by Snort.
Bill</snor2c>
