Blocked ip addresses not showing up in log

Heimire

hey there,

We have an alias named blacklised_network.
We have 3 networks listed.
We are blocking everything coming from those networks.

Snort sees the traffic and its reporting it but unfortunatly we dont have IPS turned on at this point.
Can't turn it on at this point.

When I check the firewall log I see nothing for those ip addresses but logging for the rule is turned on.
When I check the states I see the ip addess thats supposed to be blocked.

I see traffic from those ip address to ports thats not open but nothing in the log for ports thats are open and they are hitting.

5.254.116.184 has been doing a bruteforce to an exchange server all day.

I create a rule just for that ip and that seems to work.
I see no states for that one.

cmb

That rule's correct to block traffic on WAN sourced from the contents of that alias, but it will have to go above any pass rules on WAN that would otherwise match. I'm guessing you have at least some pass rules above it.

Adding a block rule doesn't block already-established connections, so you'll want to kill those states after ensuring the rule is on top of the WAN rules.

Heimire

@cmb:

That rule's correct to block traffic on WAN sourced from the contents of that alias, but it will have to go above any pass rules on WAN that would otherwise match. I'm guessing you have at least some pass rules above it.

Adding a block rule doesn't block already-established connections, so you'll want to kill those states after ensuring the rule is on top of the WAN rules.

Its on top but I am sure its the already-established connections I am seeing.
I killed those last night and I dont any now.

Thanks..