Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Getting Blocks from snort2c but not running Snort

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    4 Posts 3 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dancwilliams
      last edited by

      I am running the latest 2.2 build.  I am not sure if this is an issue with the 2.2 or something else but I have only noticed since I began running 2.2.

      If this belong elsewhere please let me know.

      I am noticing blocks to various IPs.  When I check the block it says "The rule that triggered this action is: @47(1000000118) block drop log quick from any to snort2c:0label "Block snort2c hosts".  I looked through all of my rules and a rule with that label does not exist.  I then got on the CLI and performed a rule dump using 'pfctl -s rules' and the following two rules are in the table:

      block drop log quick from <snort2c>to any label "Block snort2c hosts"
      block drop log quick from any to <snort2c>label "Block snort2c hosts"

      Where did these come from and how do I disable them?  I am not running nor have I ever installed Snort and this is blocking legitimate traffic.

      Thanks for all the help!</snort2c></snort2c></snort2c:0>

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        They're always there, they're just empty if you're not running Snort or Suricata. Can check its contents from Diag>Tables.

        1 Reply Last reply Reply Quote 0
        • D
          dancwilliams
          last edited by

          Ah,

          Don't mind me…I see what is happening now.  Mark me embarrassed  :-.

          I do have Suricata installed and doing some testing.  I was unaware that Suricata used the snort2c list to block hosts.

          Still in learning mode on all that.

          Thanks for the help!

          Dan

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @dancwilliams:

            Ah,

            Don't mind me…I see what is happening now.  Mark me embarrassed  :-.

            I do have Suricata installed and doing some testing.  I was unaware that Suricata used the snort2c list to block hosts.

            Still in learning mode on all that.

            Thanks for the help!

            Dan

            Yes, for expediency when Suricata blocking mode was released, it used the same pre-existing <snort2c>table.  That's why you don't want Snort and Suricata both installed and blocking on the same box.  It's OK to install both if you really want to, but only one of them should be configured for blocking.

            Bill</snort2c>

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.