Getting Blocks from snort2c but not running Snort



  • I am running the latest 2.2 build.  I am not sure if this is an issue with the 2.2 or something else but I have only noticed since I began running 2.2.

    If this belong elsewhere please let me know.

    I am noticing blocks to various IPs.  When I check the block it says "The rule that triggered this action is: @47(1000000118) block drop log quick from any to snort2c:0label "Block snort2c hosts".  I looked through all of my rules and a rule with that label does not exist.  I then got on the CLI and performed a rule dump using 'pfctl -s rules' and the following two rules are in the table:

    block drop log quick from <snort2c>to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c>label "Block snort2c hosts"

    Where did these come from and how do I disable them?  I am not running nor have I ever installed Snort and this is blocking legitimate traffic.

    Thanks for all the help!</snort2c></snort2c></snort2c:0>



  • They're always there, they're just empty if you're not running Snort or Suricata. Can check its contents from Diag>Tables.



  • Ah,

    Don't mind me…I see what is happening now.  Mark me embarrassed  :-.

    I do have Suricata installed and doing some testing.  I was unaware that Suricata used the snort2c list to block hosts.

    Still in learning mode on all that.

    Thanks for the help!

    Dan



  • @dancwilliams:

    Ah,

    Don't mind me…I see what is happening now.  Mark me embarrassed  :-.

    I do have Suricata installed and doing some testing.  I was unaware that Suricata used the snort2c list to block hosts.

    Still in learning mode on all that.

    Thanks for the help!

    Dan

    Yes, for expediency when Suricata blocking mode was released, it used the same pre-existing <snort2c>table.  That's why you don't want Snort and Suricata both installed and blocking on the same box.  It's OK to install both if you really want to, but only one of them should be configured for blocking.

    Bill</snort2c>


Log in to reply